Taming Ameritech DSL


In my area (Detroit, Michigan), Ameritech (the local phone company) offers DSL service in some areas.  They are an absolutely horrible service provider, but they appear to be the best in the area.

As with any DSL service in this area, the first challenge is to get it installed.  Telephone lines (required by DSL) in this area range from fantastic, but technologically incompatible with DSL to very old, very unsuitable for DSL.  Somewhere in the middle are some people who have wiring which is of adequate condition and type for DSL use.

Ameritech offers several "grades" of DSL:

As indicated, the basic SpeedPath 768 is a non-starter in a business environment -- dynamic IP allocation is silly and way too limiting, plus this service restricts your ability to use an external firewall, the only proper way to protect your systems from the Internet.  The SpeedPath 768 Office is not bad for sites that need Browse Only access to the 'net.  It is a very easy install in many sites.  However, the OfficePlus solutions are the only option for many of my clients, as static IPs are just required.

The Problem

Problem is, Ameritech programs the router they provide you gives you outbound access to one and only one IP address through NAT.  There is NO incoming access.  So of these five IPs, you get to use one, and you have limited use of that one, even.

The router my clients have been getting recently from Ameritech is the Efficient Networks SpeedStream 5861.  This appears to be a very capable box, perhaps a little too capable.  The manual is over 300 pages in length, and provided ONLY in .PDF file format.  Now, this may be a personal quirk here, while I appreciate Adobe Acrobat's ability to print something very pretty cross-platform, trying to use it to READ a document using Acrobat Reader I have found almost impossible (note: "continuous" mode makes it almost useful (Thanks, Mike!).  On Acrobat Reader v5.0, they have FINALLY set this on by default).  Put bluntly, I don't have a whole lot of interest in learning to configure every imaginable router out there with every imaginable Internet service provider.  We are talking many, many hours of learning for something that I may never see again.  Do I charge the client $5000 for a DSL install and set up?  I think not.  Do I waste my time learning what may well be a "one-shot" product and service combination?  Again, I've got more important things to learn and keep on top of.

What I prefer to do is to to "open up" the router to the Internet, and put an external firewall and/or other service box behind the router.  For external firewalls, I like either OpenBSD or GNATbox, two very capable and cost effective solutions, both of which I support and have spent considerable time learning, and support a wide array of different internet connectivity options (DSL, Microwave, T1, etc.).

The Solution

I'm not going to give a "click-by-click" guide to programming the Efficient 5861.  However, I will give some hard-earned tips...

First, always start by making sure you have a backup of your initial router configuration.  The Efficient Networks configuration program does a pretty good job of this -- load the software, first thing it will do is connect to the router and download the configuration.  Apparently, however, it is rather stupid about knowing how to do anything resembling rotated backups.  I like to have a copy at every "benchmark" stage: as Ameritech left it, when I start making progress, when I have it exactly how I want it.  Simple solution to this: Rename the directory it ends up in. (something like C:\DSL\<letters&numbers).  Next time you do a backup, it will recreate this same directory (I believe it is the serial number of the router).

If you choose to restore the router, you do this through the backup/tools menu.

Virtually all useful configuration of the router must be done from a telnet session with the router.  The 5861 only accepts connections from nodes on the same subnet as its ethernet ports.  This is a security aid, but it often requires an "extra" computer handy.

You are going to have to find out what your IP is.  Ameritech won't tell you.  How nice of them.  I usually telnet to a machine I have which will tell me where I am coming from, though some web sites will also tell you your IP address, as well.  Your reported IP should be the top-most of the available IPs of your subnet block -- if it isn't, you are probably not set for static IP yet (see below).

The "protected" side of the router defaults to with a subnet mask of

There are two solutions I have found to making this thing useful...

Inbound mappings

This uses mostly the router's own capabilities, but permits inbound traffic to come in on particular IPs (remember, you have five) to be routed to particular machines behind the router.

From a telnet session, use the commands:
    system addhostmap

In this example, are the "mapped" ip addresses for the devices you want external access to. is the FIRST usable IP of your block.

In this case, your machines use the IP address of the router ( as their gateway to the Internet.

Does it work?  Yes.  Are there potential problems?  Yes -- for one, you will (typically) have double NAT going on, first at your router, then again at your external firewall.  I would imagine this would break many VPN systems, and can cause other problems, though it won't hurt your normal browsing.

This solution was suggested by Ameritech.

"Dumb as a Brick Mode"

My preferred solution is to have the router just get the heck out of the way.  Just let my computer get to the 'net!  When explaining this to the one very helpful Efficient Systems support person I found, he said "You mean, Dumb as a Brick Mode?"   "YES!," I said, "Exactly!"  He proceeded to give me a small number of commands, and like an idiot, thinking I'd never see another of these systems again, I didn't bother to write them down.  This, of course, resulted in me having an identical install the very next day...and I never reached a useful person at Efficient Systems again (the one I did reach later was kind enough to suggest that I read the 300 page manual (which, actually, I had attempted in the past.  Problem is, the manual tells you everything you can do with the system, not how to use it with your ISP).  He assured me there was a "shorter, 100 page" manual on the 'net someplace, but he couldn't tell me where).

Anyway, using the system I had been walked through configuring and another client who was patient for the service, I was able to "reverse engineer" the steps required:

I have bold faced the commands you need to type, the lines starting with # are comments to let you know what is being done.

Again, through telnetting to the router
    # use the "login name"  and PW you were given.  This enables the DSL box to
    # connect to the Ameritech service, apparently.
    sys name <user1@static_ameritech.net>
    sys passwd <assigned password>
    # Set the router's IP and the range that it will be supporting.  Note that for
    # the installs I have done so far, the router goes at the TOP of the address
    # range.
    eth ip ena
    eth ip addr

    # The following are commands which are using curious terminology of the
    # Efficient routers...some of it quite contrary to what I would have guessed
    # one would want to use, so I will not describe what is happening, I'd
    # probably be wrong.  Note: 'rem' below is short for 'remote', not
    # 'remark' -- those are commands, not comments.
    sys wan2wanforwarding on
    rem disbridge internet
    rem setiptrans off internet

    # Make it happen

Now, all this is assuming you are starting at where Ameritech left you.  If you are trying to use this guide with another ISP which uses the same router, good luck to you.  This worked for me in my situations so far, I'm not going to pretend I know entirely how or why.

Once you have enacted "dumb as a brick mode", set your computers to use the router as their gateway, and put them right on the 'net.  Should you need to use the Efficient Networks management software, you will have to do it from a machine on the subnet you are working with, not behind a firewall (I think...gotta test this).

Other notes:

After reconfiguring the DSL router in any way...power it off and back up. It is important.

Ameritech really has no idea what they are doing here.  To sell a service without any idea how to guide the customer through using it would be unacceptable in any other industry.  Fortunately for them, the expectations for service and support in the computer industry is very low.

There are many things Ameritech does not tell you when they do the DSL install.  Most notably, when they set you up, they typically program the router with a "temporary" user ID and password, and don't bother to tell you this.  This temporary address is a dynamic IP.  In order to actually USE your system, you will have to go in and reprogram the router when they get around to updating their back end equipment with your user information.  Worse, in one case, they actually set us up with a temporary ID, then a semi-permanent, but still dynamic IP, and almost a week later, the static IP was actually activated.

This is inexcusable.  Apparently, they don't even start to consider setting up your service account ID until AFTER the DSL modem is installed and operational.  Why?  All I can figure is their install success rate is so low, they don't want to waste their time actually doing any back-end record keeping until they know everything is going to actually work.  AFTER the wires are operational, then they will start getting things in order on their end...this has taken a week or more in one case!

In three out of three cases, the installers have told my clients "The computers are down, I've set you up with my temporary ID".  Get real. Have you EVER made a phone call that their computers didn't track?  Has your bill ever not arrived on time due to a phone company problem (we'll ignore the USPS right now).  The phone companies not only have some of the most sophisticated computer systems in industry, but also pioneered many of the technologies we now take for granted (remember, Unix came out of AT&T).

In one Ameritech DSL install I did, they actually had some kind of record keeping snafu on their end -- took almost a week to get that cleared up and bizarrely enough, I had to give them a credit card number. Never got a good explanation on that one, they assured me it wouldn't be charged, "the old registration system computer just needs it"  "Then use yours"  "Uh, can't do that".  So, just to mess up their systems the best I could, I gave them *my* credit card, rather than the client's.

The individual people I talked to at Ameritech were (with one exception -- Carol, you are on my shit list.  My client, after hearing the one side of that conversation, said "Wow.  I've never heard you loose your cool like that before, Nick!") very nice, understanding, and sympathetic to the problems I was having.  And, they had obviously heard it all before (be nice to them, you get NOWHERE yelling at the person who is trying to help you).  The problem isn't the people you are dealing with, the problem is the Ameritech management, the system is broken, the people are great, and doing their darnest to get you going.

Links to Speedstream documents:

Thanks to Todd Fries for those links!

Holland Consulting home page
Contact Holland Consulting

since May 14, 2001

Copyright  2001-2003, Nick Holland, Holland Consulting

Published: 5/14/2001
Revised: 1/04/2003