The BGW320 units are absolutely horrible. They're riddled with bugs, and there's no way to communicate with humans at AT&T who either understand the bugs or who know how to communicate with other people at AT&T to address them.
One incredibly annoying problem is that even if you're paying for static IPs and expect static IPv6, you can't route IPv6 without DHCPv6 being turned on (the settings are on or off for IPv6, for DHCPv6, and for DHCPv6 Prefix Delegation). You can turn on DHCPv6 on the BGW320, then you can statically configure IPv6 without ever running or using DHCPv6 and it'll work, but you can't turn off DHCPv6 and use static configurations, even though the setting for IPv6 is "On".
While this isn't a big issue because I control the public segment of my network, it's both annoying and unprofessional that this issue exists. It also makes it impossible to use a devices you have less control over with IPv6 without using their DNS hijacking servers and without using their search domain, since you can't configure the BGW320 to provide custom DNS servers, nor set a custom search domain.
A more egregious problem is that all traffic, both IPv4 and IPv6, goes through the state table of the BGW320, even when you're not doing NAT, and even when you turn off all of the "firewall" things (although "Reflexive ACL" has to be on, else IPv6 won't work). This can be seen when you go to "Diagnostics", then "NAT Table" in the BGW320's web interface. That's right - you can see NAT entries for every connection made.
This caused all sorts of problems until I figured out this was why connections were constantly getting dropped on a busy network. 8192 state table entries might be fine for an individual, but for a small business, with lots of clients, and with machines on the static IPs that the BGW320 routes, it was constantly overflowing.
I'd love to see a straightforward way to turn the BGW320 in to a bridge so we don't have all these ridiculous issues. In the meanwhile, anyone who has one of these should definitely take the advice of OP to "put your LAN behind a secure and trustworthy firewall" :)
If you're fortunate enough to have the older BGW210 you can bypass it without specialized hardware by having your router proxy the authentication requests.
This is what I was thinking too. If you are going to use a different box, why not use a more feature rich solution that is much less difficult to configure?
https://pon.wiki/guides/masquerade-as-the-att-inc-bgw320-500...