I’ve recently completed setting up AT&T IP Flexible Reach service for use with an on-premises installation of the 3CX phone system. The AT&T process is quite opaque, so I wanted to document a few things for future reference.
My customer ordered the service and had lots of trouble getting the fiber pulled and approved to the point where the order could move forward. It’s still unclear where it got stuck, but when the salesperson explained that sales is not allowed to contact engineering for regulatory reasons, the customer got onto some AT&T forums and eventually got the AT&T executive office engaged. They were able to get a tech out the same day to install the EdgeMarc 4808 router. (In California, another way to reach the executive offices is through the California Public Utilities Commission at 800-649-7570, although I’m not sure if they get involved in business as well as consumer issues.)
SIP Handoff
Backing up a bit: for the best connection to a 3CX phone system, it’s important to order the IP Flex service with “SIP handoff,” meaning phone calls will be delivered directly via SIP, not over analog lines or PRI. I was confused when I saw the router installation because the tech installed a 22-port analog patch panel connected to the EdgeMarc via an amphenol connector (see photo). More on that later.
Call to Get the Approval Email
If you are trying to do a “same day test and turn-up” (get it working right away), the next step is that you must call Provisioning at 855-556-7901. I think option 4 is IP Flex. Ask them to send the customer an email asking the customer’s permission to turn on the service. If possible, have the customer make this call and ask AT&T to send the email while the customer is on phone. When the customer receives the email, have them reply, approving that services (and billing) should start immediately.
Call for Same Day Test and Turn-Up
Once approval is in place, call the “Halo Hotline” (sounds like “2001: A Space Odyssey”) at 855-26-7647 to request a “same-day on-demand test and turn-up of data only.” This immediate turn-up gets Internet and temporary phone numbers, but does not port in numbers.
This scheduling call took about 30 minutes. I learned during this call that a tech was scheduled to install the router a week from then, and did I want to cancel that appointment? Yes, since the router was installed that morning. I also learned that the service was provisioned as analog, even though SIP handoff was ordered. We needed to at least get Internet working so I agreed to continue. They scheduled a tech to call me back.
Important Timing matters. The scheduling department is available until 8pm Eastern, but the turn-up engineers are only available until 5pm Eastern, or 2pm California time. Also, you will need someone on site before they will schedule the callback. (I set it up for a customer employee to be on site to move cables around.)
The Technician Call
While waiting on the technician to call, I got an important tip from the AT&T sales rep: the turn-up technician should be able to change the provisioning from analog to SIP.
About half an hour later, the technician called. This call took about two hours.
I immediately raised the issue about needing SIP handoff. He opened a ticket to request the provisioning change, which takes about 20 minutes. Meanwhile we worked on setting up the router and getting Internet working.
The technician will provide your static IP addresses as well as the subnet mask, gateway, and DNS servers.
The router has eight LAN ports, which are used as follows:
Port 1 – Leave open for management.
Port 2 – Connect to customer router/firewall for use with static IPs. The tech will tell you which IPs are allocated.
Port 3 – Use temporarily for getting a dynamic IP assigned via DHCP. This allowed me to access the router and assign a static IP (see screenshot below), after which the on-site person had to move the cable to port 2. (Doing this remotely made me wish I had some kind of out-of-band management interface available!)
Port 8 – Use for SIP handoff. Connect to second, dedicated NIC in the 3CX computer.
Once the Internet is working, log on the the 3CX computer and do a speed test to confirm you are getting the expected speed. Also, in 3CX, go to Settings > Network and change to a “Static Public IP”. Make sure the detected IP matches the IP assigned by AT&T.
We had Internet working and by then the phone provisioning had changed to SIP, so we were ready for that.
Note One thing I forgot was to ask the technician to disable SIP ALG on the Internet interface of the EdgeMarc. I realized later that the reason a FlowRoute SIP trunk was not working was that SIP ALG was enabled. This meant calling AT&T tech support and waiting for a callback. After 24 hours, I called back and found that the ticket had been assigned to the “circuit team.” Next time, for router configuration requests, I need to ask the person creating the ticket to assign it to the “voice team.”
Another Note One of the user’s guides for the AT&T “Business in a Box” router says you should be able to log in to the router as http://192.168.4.1, user custadmin and password the last six characters of the MAC address, all uppercase. I got the login screen but could not get in. Probably that’s because I’d need to have a computer on the 192.168.4.x subnet, as explained in the guide.
Computer Configuration
Set up the 3CX computer with two NICs. Connect the first NIC to the customer router/firewall (probably through a switch) so that the 3CX system will be able to access the Internet. Connect the second NIC directly to port 8 of the EdgeMarc.
Configure the second NIC as follows:
IP address: 1.1.2.21
Subnet mask: 255.255.255.0
Default gateway: (empty)
DNS: (empty)
The technician actually instructed me to set the gateway to 1.1.2.1. That worked for calls, but it also meant that the 3CX computer tried to route other Internet traffic to second NIC. Removing the gateway stopped that traffic, and AT&T SIP calls still work.
Set up a SIP Trunk in 3CX
From the list of supported U.S. providers, choose AT&T. Set the hostname to 1.1.2.1 and Number of SIM Calls to10 (confirmed by the technician). Note that this uses IP authentication; no auth ID or password is required. Under Route calls to, set the customer’s main phone number as the Main Trunk No. Add more DIDs, including the temporary phone numbers as listed by the technician, on the DIDs tab.
At this point, if your inbound and outbound routing are correct, you should be able to make and receive calls through the AT&T temporary numbers.
Testing Calls
Part of the turn-up is to test inbound and outbound calls.
Our first inbound test failed from exterior numbers but the technician, dialing from a VoIP number, was able to get through. He did something to patch the PSTN through to VoIP, and the inbound calls started working.
For outbound testing, I used the 3CX app on my cell phone. I simply registered the app to the customer’s 3CX system using a QR code sent out by the system, and I was able to place outbound calls through AT&T from my cell phone. We successfully tested local, long distance, and toll-free numbers.
I asked the technician if the outbound route for 7-digit numbers should be configured to send 10 digits (i.e. prepending the area code) and he said yes. This is what is working as an outbound route for 7-digit numbers:
The idea here is to handle areas where the customer is required to dial the full 10-digit number even for local calls.
If the customer dials a 10-digit number, prepend a “1” to confirm it as a long-distance number:
Routing may be different in your area.
Hybrid SIP and Analog
I mentioned to the technician that it would be nice if a hybrid setup was available, with some phone numbers doing SIP handoff and some going to analog. (The main reason to use analog at this customer site is for a fax machine.) To my surprise, the technician said that this is in fact possible, and agreed to set up the fourth temporary phone number as an analog line on port 1 of the patch panel.
After he set this up, all calls to the system started failing. The caller heard a message like, “Your call cannot be completed as dialed. BC2.” When the tech dug into the logs, he saw a “404 not found” error. After confirming that the phone system should still be working, and noting that outbound calls still worked, we realized that he had configured all numbers to go to analog, which is the default (analog has priority over SIP). He re-programmed some kind of filter to choose only the fourth number for analog termination. After that, the first three numbers worked for voice, and the fourth, analog line just rang unanswered. The customer will be connecting a fax machine to that port to confirm that it can reliably send and receive faxes.
The technician advised me that when the customer ports their numbers, whatever tech is working on that will have to repeat this split programming to direct their fax number to the analog port.
Really help me me navigate this same exact scenario
I’m having trouble. First off the install came with no documentation whatsoever, nor any information on where to find any. After searching the Internet and finding what could be relevant user ID and password information, the router password was not the last six of the MAC address as it was shown just about everywhere online, it was “admin”. Took me about 30 minutes on hold with AT&T support (who never picked up) before I gave up and kept trying different combinations for myself. That was frustrating.
Now, as I understand it, for us to use our own firewall with this router, I need to have our assigned public IPs in the space for Customer Networks. There are, of course, none. I don’t know if that’s by error or design, but clearly it means more time on hold waiting for support.
So far, not impressed with AT&T at all.
@Michael, I feel your pain. I never got logged to the AT&T device, but eventually support got things set up. Remember to ask them to unblock SIP (port 5060) and turn off SIP ALG if you need open your network to inbound VoIP traffic (e.g. remote extensions). You may have to raise a separate ticket for that request.
I’m your experience does ATT block SIP every time with IPFlex? I have a site that doesn’t work with IPFlex but as soon as I swing my firewall to the local cable connection the phones come right up. I have two more IPFlex implementations so it’s concerning. Thank you
Eric, I’ve only done one install behind IP Flex, so I don’t know if it’s the default. You’ll have to contact AT&T support to ask if they’re blocking it on your setup.
Mark,
Great article. Quick question – have you ever run into a case where you requested AT&T to use the local private address scheme vs. the 1.1.2.x scheme? So if my phone system is on 192.168.5.5, would it be possible to have AT&T use 192.168.6.6 instead of 1.1.2.1?
Thanks!
Pedro
Sorry, that should’ve read 192.168.5.6 instead of 192.168.6.6
Pedro, I’ve only done the one install but as far as I know, AT&T specifies the IP. Not sure you would want all your other LAN traffic (broadcast packets etc.) hitting the SIP NIC anyway. You could ask, perhaps during the test and turnup call. Let us know if you learn otherwise.
Wanted to follow up in case it helps anybody… yes, AT&T can change 1.1.2.0/24 range to whatever your local phone system VLAN is on (example – PBX = 192.168.5.1… AT&T Router can be 192.168.5.2) instead of 1.1.2.1. This helped save us over $20k in new SIP equipment and we were also able to VLAN it off into its own subnet to keep traffic noise down.
Your page was the most informative I’ve run across when it comes to IP Flex / BVoIP but finding if this was possible on the web wasn’t possible until I actually talked to the TTU Engineer.
Hope it helps someone out there!
@Pedro, thanks for circling back with that info!
This is going to sound a bit out-of-nowhere, perhaps, but if one were to conduct a TTU for AT&T IP Flex with the Edgemarc 4808, but in a system that uses only analog phone lines (through utilizing an amphenol connector like the one pictured), would one do the call part by plugging in a phone to one the FXO ports labeled in blue on the router? Or would one need to use one of the FXS ports that are part of the patch panel?
@Damon,
FXO (Foreign Exchange Office) ports are for incoming phone lines. My hunch would be that they are for connecting and passing through copper lines as a backup/failover connection, i.e. if the fiber fails.
If you want to connect a phone for testing, you’ll need to use an FXS (Foreign Exchange Station) port on the patch panel. In my customer’s hybrid setup, the first analog port is active for the fax, so that’s where we plugged in the fax machine.
AT&T installed the 4808 yesterday, phone lines working great, however having issues with the internet side of the fiber optic connection. Can’t seem to get AT&T to provide appropriate steps to allow outside access through the router to our computer server, via internet. Had the same issues with the last 6 digits of the MAC address being the password, doesn’t work. Suggestions?
@David, we didn’t have a problem with most inbound traffic. We did have to request that port 5060 (SIP) be opened and SIP ALG disabled.
Do you have a router behind the the 4808? I’ve got a UniFi USG behind the 4808 at this customer. The WAN on the USG is set to Static IP with one of the 4808’s public IPs. In other words, the 4808 is operating in true pass-through mode and the customer-owned router uses the public IP, not DHCP.
If that doesn’t help, AT&T tech support should be able to help you out. Let us know what works!
This was extremely informative!
How do I connect the Netgear ac1700 model r6400 router to connect? I’ve tried with Ethernet cable but my computer will not pick it up neither will any other device.
@Brandi, sorry I don’t understand the question. How does this relate to AT&T Flexible Reach setup?
I’ve gotten my hands on an AT&T-branded 4808. Has anyone found a way to reset it back to defaults to be able to use it with some other service?
I am looking to get a specific phone number. It currently owned by AT&T – the only way for me to get it is I have IP Flex service. I am looking to pay someone to let us park the phone number on their account so I can port it over to us.
I am willing pay ….
Abe
Abe – Nice to hear from you! You probably don’t remember, but you helped me with Toshiba key system manuals back in 1996. Re. IP Flex, I was working on that for a customer so it’s not my account.
Article is much appreciated, just wrapped up an install using 3CX and AT&T SIP.
One change I had to make for the SIP Traffic to route properly was “Select which IP to use in ‘Contact’ (SIP) and ‘Connection'(SDP) fields” on the Trunk’s Options tab. I had to set it to the PBX’s SIP address on the AT&T Side.
Using the Cisco ASR1001X Router provided by AT&T.
Hope that makes sense.
Been couple of years now but with this setup, did you have any problems with REMOTE Extensions connecting on WAN side then ability to send/rcv calls via SIP connection side (1.1.2.1)?
@Charles, interesting question. In general this install does not use remote extensions so I can’t say. I have used remote web / 3CX Phone connections for testing without issues, but those go through their own tunnel so wouldn’t be the same as a desk phone using standard SIP ports.