It seems that it is well documented that ATT has managed to screw up their Pace Pic model 5268AC with the firmware version 18.104.22.1681418-att. While the default mode is DMZ all of the firewall/port forwarding rules are OFF by default. This is normal and fine but if you want to do some advanced work like remote desktop, secure shell, or even hosting your own website or service then you need some advanced knowledge.
Where things get annoying is that if you want to L2TP/ipSec into your home network then you need to be in bridge mode because ipSec requires access to protocols other than just TCP and UDP.
And as I’m tired of this problem ATT customer support was useless. They were clearly working from a script and no grasp of the problem.