I just got AT&T U-verse, which delivers Internet, TV (IPTV), and phone service (VOIP) to the home; all this over one pair of copper from the VRAD. My upgrades to the service include HD TV, DVR, and a static IP block for my servers. The device that they provided me with, a 2Wire 3300HGV-B (“Residential Gateway”) is responsible for a lot:
- TV: Broadcasting TV using IPTV set-top boxes
- Phone: Providing VOIP phone service to the plain-old-telephones in the home
- Routing public (static) IP traffic to the public IP machines
- NATing Internet for the “private” computers
Fiber-to-the-Node
AT&T primarily uses optical fiber as the data pipeline for all of these services to the neighborhood. There, it feeds into a VRAD that connects subscribing households using VDSL over copper. When fiber is used to reach a neighborhood and copper is used to reach a home, it is called fiber-to-the-node, or FTTN.
What made this setup interesting to me (from a networking perspective) was that it forced me to compromise on keeping my private network separate from my public network…
Typical Network
This first diagram, below, represents how I would typically set up small network.
Just as most people do, I have my workstations behind a typical residential gateway (viz., a “wireless router”). What’s a just a bit atypical is that I have two servers that each have two network interfaces and participate in both the Internet and intranet networks.
Because all devices that participate in both networks are smart enough (operate on the third network layer or above) a packet never makes it from one network to the other unless it needs to, which is pretty much only when a workstation is communicating with the Internet (through the residential gateway).
Thus, the Internet subnetwork and intranet subnetwork are on different broadcast domains. Anything broadcast onto the intranet (whether a workstation or server), such as an ARP request, will only be heard by the other devices on the intranet.
back of the 2Wire 3800HGV-B
Two Networks on One LAN
Things got a bit more complicated when I got AT&T’s U-verse. The key difference that this Residential Gateway introduced is that it joined my two networks into one broadcast domain. This is because the Gateway’s internal network interface has an intranet IP address, 10.0.0.1/24, so that it can send IPTV to the private network TV set-top-boxes that are hooked up via Ethernet, and the Gateway is routing the public IP addresses (“a.b.c.x”) for the servers, so the Gateway’s internal network interface also has an IP address of a.b.c.7.
So, the Gateway is participating on both networks on one interface (technically, on two ports of its built-in layer-2 switch). Now, all devices, whether public or private, are able to communicate with each other. They usually ignore each other, but they will all hear broadcasts from any device. For example, if Workstation1 sends out a broadcast packet (such as an ARP request), it will reach the Linux server on both its Internet and intranet interfaces (because the Gateway’s built-in switch will send it out to all attached networks. This, itself, is not usually a problem …