Help with AT&T Uverse Static IP addresses

How "static" does this have to be?  Can a ten minute timeout be tolerated?  If so, you might look into dynamic DNS.  Buy a domain name (any will do) and run a dynamic DNS client on one of the machines inside the LAN.  Have the VPNs connect by domain name instead of by IP address.  Cost, $10 a year.

So, if he has the static IP, he can set his VPN up just using the actual IPs. However...

AT&T can give you a static IP, but they will not resolve the DNS lookup because I do not believe AT&T will act as your DNS authority. Once they give you the static IP, they would need to know what name that should point to it. I do not believe they offer that service unless you have a business account.

However, you can go to whomever you registered the name with and point the DNS authority there to any DNS provider that will manage your IP and name.  In fact, they may manage it for you for free. Since you IP is fixed, that is not an issue. And DYN.com does that as well with their Managed DNS service.

However, I agree with the comment above, skip paying for the static addresses. You do not need them. Use DYN.com and a small piece of free software on your computer. The url has the form of hostname.dyndns.org. (You have a lot of different names to choose from as well.) The small piece of software will watch your current IP address, and update DYN.com with any IP changes so that hostname.dyndns.org always points to the machine you want it to.

And I do not believe it even takes 10 minutes to update on an IP change actually. Since dyndns.org never changes, and since DNS queries of that form (hostname.dyndns.org)  always go to dyndns.org to resolve, they come back almost immediately since it knows when it changes.  It is indeed cheap in cost, and works extremely well. Many routers also have support for this built in and will send the updates for you.

Assuming the other end is the "office" and is static, that may be sufficient.

I have a dynamic IP from my ISP and it changes every 2 or 3 years. I treat it as static and change my site to site tunnels when needs be.

This actually works very well.

I agree John, I do not think my AT&T IP ever changed, and the newer ATT fiber IP is also not changing (yet).  But for $10 a year, DYNDNS will keep it up to date just in case. I did see one change after a long power failure, and dyndns pointed to the right place for me. A cheap solution and it works.

Clarification:  It is correct that a DNS update through the DNS system does not take 10 minutes.  However, if your dynamic IP changes due to a drop and shift at the DSL/cable/fiber modem, the new IP won't be detected and updated until the next time the DDNS client runs on a host inside the LAN.

So if the DDNS client runs every 10 minutes, there's a potential 10 minute "white-out."  Setting the DDNS client to run every minute will alleviate this.  Note, however, that there must be a system inside the LAN running the DDNS client 24/7/365.  If you don't have an always-on system, then something like an HP T5740 thin client running linux with ddclient will take care of this for about $20.

Ah, I understand what you mean. Thanks for the clarification.  My DYNDNS was handled by my Cisco Router, and it updated when it detected a change.

There's no real point in having static IPs for VPNs. In fact, this causes problems.

Every time you move your computer to a new location, then your VPN will break.

I run a VPN on one laptop I use, so when I travel all connections are secure.

At no point is there ever a static IP in play. Not my end or the VPN out drop IP.

All IPs rotate.

Using static IPs with a VPN defeats one of the primary reasons of having a VPN.

Static IPs can be tracked in all sorts of ways.

If you're concern is security, you'll never use a static IP... ever...

Well I’m not really into security thru obscurity.  I need the static IP address to do hardware to hardware vpn.  Not just a vpn client on a pc.  I’m not sure if the hardware supports dyndns but I’ll check.  I’m still really curious more about why they aren’t giving him a single static External IP. Or if that can be configured or not.

I think you missed the meaning. You can do hardware to hardware VPN without the static IP.

Anyway, AT&T supplies static IP addresses as so:

Number of static IP addresses available:

Block Sizes
Total Block Size      Usable Addresses
           8                                 5
          16                              13
          32                              29
          64                              61

I have no idea what size block you bought, but it looks like just one is not what they do. But even if you bought an 8 block, you can assign one to your router, and then use the router just like you always did with DHCP behind it. Or, you can pass through some of those static addresses into your network as well it seems.

So if you want it the old way with a single address, just assign one static IP to your router and ignore the rest, and use DHCP inside the LAN as usual.

I need the static IP address to do hardware to hardware vpn.      <-- As noted earlier, one end static and the other end DHCP works fine. I have been doing this for years now. The DHCP end changes so rarely (once in the last five years) that it is not a problem.

Static ip is preferred for ipsec vpns. Especially if this vpn's availability is crucial.  Depending on the hope that the isp doesn't change the dynamic ip is a gamble.

Anyway, as someone stated, your friend needs to assign one of he public ip's to their router.
Configure a default route to the gateway of the address block provided by ATT.
Then ensure the router is configured to NAT overload the internal ip's out to the internet.

I appreciate the comments.  I think a lot of this is going to depend on how much or how easily the router can be configured without AT&T who prove useless. I’m going to look at it next week for him.

Anyone know why the public IP address is showing up as something completely different when he’s checking it on whatsmyip?

If you use a VPN router (I use Cisco RVxx) and put the ATT box in Bridge Mode (ask them) so that you can configure the external IP address in your VPN router, it will work - static or infrequently changing dynamic, IPsec or other should all work.

If you need help, I have the latest AT&T router here at my house.  If it is the same one, I can help you set up those settings failry quickly I would think:

Here is what I have:
Manufacturer      ARRIS
Model Number      BGW210-700
Serial Number      272875384169152
Software Version      1.6.9

Thanks but It’s a pace5268ac.

I still can walk you through what you need to do (as can others here) but you will have to find the right menus on your router.

First thing I’ve learned is that this router doesn’t have a true ‘bridge’ mode but apparently you can put additional routers behind it in a DMZ that works for most.

A lot of AT&T routers allow you to assign the public IP address to a device behind the router. They don't call it bridging but it allows the router behind to have your external address and it can handle your network. In this mode, you AT&T router's WiFi will now be OUTSIDE your LAN, which is not bad if you want to use it as a guest network.

In order to get this vpn router working behind the AT&T router i guess I need to shut off dhcp on the AT&T and put the vpn router in the att dmz.  Assign the public IP to an interface on the VPN router connecting to the AT&T.  Have the vpn dish out dhcp.  No idea how the WiFi from the att will behave

I am not sure. On my current AT&T router, I use "passthrough" to send the external address to my Cisco router. BUT, I leave DHCP on on the AT&T router for that Wifi. Guests can connect to that WiFi, get a DHCP address, but cannot get into the full LAN. If you need them on the full LAN, you can always give them the WiFi that is inside you LAN. It was kind of a free DMZ the way they set it up.

So see if you Pace has IP Passthrough, and if so, you may be OK.

I went out there today and looked at the router settings and it seemed to be a huge mess.   They even claim to be having issues with their TV service since switching to static ... which is odd...  To keep things simple per others suggestions, we're going to move it back to a dynamic ip and ill either manually change it every few months or give dyndns a try if the vpn router will support it.

Try that with the dynamic address. If need be you can reset the router also

DYN.org will help,you with this, and I’m happy to walk you through it if needed, I have done it too many times now. Good luck.

Got this working ok with the dynamic IP on one end.  Might leave it like this, might dig into using dyn.org if it changes more than a few times a year.

If the IP only changes infrequently , you are good to go

The only time I see an IP change is if the ATT router gets powered off for a period of time. Because of this, I felt a $55 dyn.com dyndns account was a small investment to be sure I could always successfully get back to my system after a power fail. Just something to consider.

So while this works and after a few weeks the IP hasn't changed yet, the VPN keeps 'breaking'.  I can't figure out why exactly, but rebooting the ATT router resolves the issue.  IT seems to break about every 3-4 days.  The VPN is the only thing breaking - other internet activity seems to go on normally.  It might make more sense to open a new question but thought I'd post here just in case.

I have had a hard time keeping VPNs running full time on home networks. Best just to set it up to redial as soon as possible and reconnect. If only once every 3 to 4 days, should be a small impact I would think.

Or, maybe you can just set it up to redial at a certain time every day, say midnight, so it "breaks" at a time of your choosing.

I think I now understand what you're trying to accomplish.

You requires a static IP which remains static even when your ISP assigns you a new IP (common during DHCP lease renewal) + anytime your take your machine away from your home or whenever you change ISP companies.

What you require is a public server which will have a static IP, then run your own private VPN bouncing through your public server IP.

This way your IP will remain static forever, independent of any other factor.

You won't require very much horsepower for this, so likely a $5/month KimSufi dedicated server will work.

Tip: On your KimSufi machine, install Ubuntu Bionic. On your local machine install Ubuntu Bionic. Setup of Ubuntu <-> Ubuntu VPNs is trivial. Then run VirtualBox on your local machine for any Windows Apps you must run.