NAT Problem with AT&T u-Verse Modem

I have u-Verse through a Pace 5031NV-030 modem. Sometimes I swap out routers to test one function or another. This always means that I have to log in to the Pace at and set the new router as the DMZ (Settings > Firewall > Applications, Pinholes and DMZ). (Tip:  connect a separate computer directly to one of the Pace switch ports to access

Today, a very strange problem surfaced. Two of my SIP devices (one phone, one PBX) could not register. I used this command to trace the SIP packets at no the WAN side of my UniFi USG router:

sudo tcpdump port 5060 -i eth0 -n -v

I saw SIP REGISTER packets going out and the expected 401 challenge coming back. However the 401 packets were flagged to go to IP address, which is NOT on my local network. Here is a typical header:

13:15:57.430875 IP (tos 0x0, ttl 49, id 51126, offset 0, flags [none], proto UDP (17), length 606) > [udp sum ok] SIP, length: 578
SIP/2.0 401 Unauthorized

I couldn’t find any reference to in the routing tables of the USG (show nat translations or sudo conntrack –L). Where could that be coming from?

I finally decided to check the Pace modem. To my surprise, the bottom of the Home page shows that my Tomato router is “active” even though it is no longer connected (and hasn’t been for days):

u-Verse NAT 1

Settings > LAN > LAN IP Address Allocation shows that the Tomato “has” an address assignment in the range:

u-Verse NAT 2

I don’t see a way to check DHCP allocation, but the management computer that I attached today got, so it stands to reason that is assigned to the disconnected Tomato. I have rebooted the Pace modem since disconnecting the Tomato router but still it persists. Somehow the modem is screwing up the NAT and sending packets to the USG (the DMZ device) but with the target address of the Tomato. In fact, under Diagnostics > NAT, I see the associated with the remote SIP host I am trying to reach:

u-Verse NAT 3

In an attempt to make the modem forget the Tomato router (and stop using the address), I went to Settings > LAN > Status, scrolled down to Device List, and clicked Clear List.

u-Verse NAT 4

After that, the Tomato was gone; only the USG and the computer I’m working from are still showing as attached:

u-Verse NAT 5

At this point, packets were still being forwarded to, so I rebooted the Pace modem.

After the reboot, the 401 challenge packets were coming back targeting What? Okay, let’s disable the DMZ in the Pace, then use this command in the USG to pull a new address:

renew dhcp interface eth0
Now show interfaces on the USG shows the WAN port, eth0, with IP

Back on the Pace modem, re-assign DMZPlus to the USG. Renew the lease on the USG again. Now eth0 is back to the public IP as expected. But packets are still being directed to the non-existent

Rebooted the Pace modem again. Hmm… On the router’s WAN port, the 401 to the phone is now correctly targeting the external IP address:

14:51:41.562575 IP (tos 0x0, ttl 50, id 58380, offset 0, flags [none], proto UDP (17), length 593) > 162.199.x.x.1027: [udp sum ok] SIP, length: 565
SIP/2.0 401 Unauthorized

But the 401 to the PBX is back to targeting Is this a DHCP lease that will expire in 24 hours (the Pace’s lease default). I guess I’ll wait and see.

One more test:  back on the Pace, under Settings > Diagnostics > Resets, in quick succession I cleared the device list, rebooted the modem, and disconnected the network cable from the computer I’ve been using for management. Now only the USG is attached.

u-Verse NAT 6

I renewed the eth0 lease on the USG. Great, now the PBX is registered but the 401 packets to the phone are directed to Both the PBX and the phone are trying to register to the same SIP provider on port 5060. Is the modem unable to handle that?

Update September 4, 2018

Did a factory reset on the Pace modem today. Good news is that I no longer see the 401 packets coming back to an IP like Bad news is that I don’t see them coming back at all; neither my phone nor my PBX will register now.

Update September 5, 2018

Last night, I power-cycled the USG router and left. This morning, both the phone and the PBX are registering correctly. I can see the 401 packets coming back from both, in both cases correctly targeting the external IP address. NTP packets are still not getting fast responses, but that may be a separate issue.

So it seems when changing routers behind a Pace modem, the correct procedure is:

  1. Factory reset the Pace.
  2. Re-configure the Pace to put the router in the DMZ. See this post for how to set Settings > Firewall > Advanced Configuration. I also disable Reflexive ACL in the firewall.
  3. Disconnect your management computer.
  4. Reboot the router.
  5. Quit for the night. (You might be able to skip this step.)
  6. Check SIP registrations and packet flow.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.