Setting up static IPs using a Comcast Business Gateway

[cranialsurge]

I have a 5 static IP (public/external IPs) package from Comcast Business Services and a Comcast Business IP Gateway. Now I would like to connect my router to the gateway and use the gateway's DHCP to dynamically assign it an internal address which is as simple as connecting the router to one of the gateway's ports as the gateway's internal DHCP server is automatically enabled. There is a range that you can specify and all the devices connected to the gateway are assigned a random IP (for a specified lease time) from that range. Now however, I have 2 servers that I want to assign static IPs. Both servers are directly connected to the gateway. I tried directly assigning a static ip each to the servers (I have all the information - IP address, subnet mask, default gateway, primary and secondary DNS) but the servers are unable to access the internet. I understand this is because they are all behind the gateway. The gateway is dynamically assigning internal IPS via DHCP to both servers like it is to the router above. These are Windows Server 2008 machines. Can someone please guide me in the right direction here. I am fairly new to networking of this nature. I want separate static ips for each of my 2 servers. Again these are external IP addresses, I have 5 of them that I purchased from my ISP.

Thanks a ton in advance.

[YeOldeStonecat]

The SMC appliance (gateway) that Comcast ships with their static Biz accounts, by default, will utilize an IP on its WAN interface, and provide NAT/firewalling for devices plugged into it that have their TCP set to obtain auto...it will hand out IPs something like 10.1.10.100...or something like that. So it acts like any home grade router in that respect.

When you want to use your own router ...and put one of your static IPs to your own router....you simply plug in that static IP/subnet/gateway/DNS into the WAN interface of your own router, ....and plug your routers WAN interface into one of those 4 ports in the back of the SMC gateway.

Or if you want to plug in just your bare server...with that server on that IP address...you could do that, but I highly...highly recommend you don't plug a server right onto a public IP address, stick it behind a good router/firewall with NAT, and have only the bare minimum ports open/forwarded necessary to make available whatever it is that this server does.

If you're running 2x servers...most decent firewall/routers will support multiple IPs on the external interface.

That particular IP (range) address/subnet/default gateway/dns is on the sheet of paper that you got from Comcast when you had your biz account setup/installed.

The last thing is to log into the SMC device, and shut off it's firewall. I forget the LAN IP again..something like 10.1.10.1...(just set your IP to obtain auto, plug into it..do an IP config /all)....
username and password are something like cusadmin and highspeed.
Look around, there's a "disable firewall" checkbox around there.

[cranialsurge]

Thanks a ton for replying. That was really precise. I was hoping someone who had experienced Comcast's infrastructure would be able to help me out. Yes the gateway by default is accessible at 10.1.10.1. The SMC device (Gateway) then dynamically assigns all the devices connected to it, DHCP generated IPs between 10.1.10.1 and 10.1.10.99.

Now as you said, If i want to assign my router a static IP you said "you simply plug in that static IP/subnet/gateway/DNS into the WAN interface of your own router, ....and plug your routers WAN interface into one of those 4 ports in the back of the SMC gateway". I'm a noob to this and I apologize for my lack of networking knowledge. What exactly should I plug in to my router in the first part of your sentence? I understand that after that I then have to connect my router to one of the 4 ports behind my SMC gateway. I am guessing that you meant that I connect whichever server I want to my router when you said "you simply plug in that static IP/subnet/gateway/DNS into the WAN interface of your own router". How would the router itself be assigned one of those 5 static IPs ? Or am I getting my objective confused here. Should the router be on one of those 5 static IPs that I have or should I just permanently assign it with the SMC gateway's already assigned DHCP IP (e.g. 10.1.10.123) that was delegated to my router when I connected it to the gateway ?

Do you mean connect my servers to my router which is connected to the gateway and assign those servers static IPs using my router ? I understand the security risk in connecting my server directly to the SMC gateway, and will not really be doing that. But if I wanted to how do i assign one of the 5 static IPs i got from Comcast to my server when it is directly connected to the gateway ? I tried doing it by manually assigning the static IP info in Network Connections in Windows Server 2008 but that didn't work because the server is behind a gateway and is not directly connected to the public network. I just lost network connectivity.

Thanks a ton for your patience

[YeOldeStonecat]

It should have worked if you plugged in the information that Comcast gave you for your static IP.

They should give you your range of IP addresses..and highlight the "first usable IP".

You'd take that first usable IP in the range they gave you, and enter it into your servers network properties...TCP/IP...(IP4)....
The IP address
The subnet mask they gave you
The default/remote gateway they have you
And if your server is a stand alone server in workgroup mode...you'd enter the DNS servers that they gave you.

The gateway they give you to use is usually the first or last number in the IP range that they put aside for you.

Now, sticking a Windows server out on a public IP address...even for just 1 minute...it risky...very risky. Within a matter of seconds it'll start having scripts and bots and trojans and other exploits banging the doors down on it. There is a lot of work that has to be done on a Window server to prepare it for sitting on a public IP address.

Best thing to do (and what I do) is take your own router or firewall...and plug in that information above you got from Comcast...into its WAN interface. When I say WAN interface..that means the external part of your router, the internet interface, the outside connection. Commonly for home broadband users, this is left to "obtain auto/dhcp" from your ISP (common for cable), or...PPPoE (common for DSL), where you enter the username/password.

But with static IP setup with Comcast....you set the selection for your WAN interface to Static IP...which opens up all those fields to enter the assigned IP address, subnet, gateway, and DNS.

Once you enter that information into the WAN interface of your own router, you uplink that WAN/Internet port of the router, to one of the LAN ports of the SMC. Now, take a computer and plug it into one of the LAN ports of your own router...with TCP set to obtain auto...that PC will pull an IP from your own router..something like 192.168.1.100. If you're successfully connected to the internet, and if you go to http://www.whatismyip.com you should see it report the public IP address that you plugged into the WAN interface of your own router.

So what you do now is put your servers behind your own router, plugged into the LAN ports...assign your servers internal static IP addresses (or give them reservations in your own routers DHCP service)....something like 192.168.1.10 for example. And now, you open/forward the ports on your own router that are necessary to make the services you wish to be available...available out on the internet, forwarded to the internal LAN IP of your servers.

What will these servers be doing?

[cranialsurge]

Hi,

I had initially done what you told me to before I actually posted here. I took one of the 5 Ips from the range Comcast gave me and fed it in to my router's (which was already connected to the SMC gateway) WAN interface using the static IP setting on the router. At the time of feeding in that information it also asked me for a MAC address, I gave it the MAC address of my computer and set it. Then when I browsed to whatismyip.com it showed me the correct static IP, the one that I just set. I am not sure however if I should have set my router's MAC address at the time of setting up this config or whether my computer's MAC address was ok. I think the latter is wrong, this probably means that my machine is sitting buck naked on that public IP.

Now, I can try changing MAC address to my router's MAC address instead. If I do this I am guessing that my computer or anything else connected to the router would be auto assigned a DHCP generated address by my router. However, if the router itself is now sitting on the public IP, would I still be able to access my router's administration page on the same internal IP (e.g. 192.168.0.1).

Also, I thought that my SMC gateway should probably be sitting on one of the 5 IPs Comcast gave me too, but apparently it isn't. When i checked the status of the SMC gateway it says WAN DHCP: 67.x.x.34. And when my computer is directly connected to the gateway (instead of my router) this is the IP whatismyip.com shows me. This address is not in the 5 IP range Comcast assigned to me.

I am currently experimenting with infrastructure with a colleague of mine (we are software developers working on a personal project that we want to turn commercial) and haven't defined our server responsibilities yet. We were thinking of setting up our own DNS. And then hooking up a Web Server and an Application Server.

Thanks.

[YeOldeStonecat]

No fiddling of MAC addresses should be required. The only thing you might do with your computers MAC address is enter it into your own routers DHCP service reservation section.

Your routers WAN interface is what gets the static public IP.
Your "server" would be behind your router (inside really)..on the protected private side of it. Say your router has a LAN IP of 192.168.0.1, and your server has 192.168.0.10, yes you can still access your routers web admin at 192.168.0.1 from the server.

If you want to run a web server you'd open/forward port 80 on your own routers port forwarding section, to the LAN IP of the server, 192.168.0.10 for example.

So...traffic coming from the internet, seeking your static public IP address of 67.blah.blah.blah..that traffic hits your own routers WAN interface..and the port forwarding forwards to that to your servers LAN IP of 192.168.0.10.

[cranialsurge]

If you look at pg. 21 of this document, you will see the static IP setup screen of my router (Dlink DIR 655).

http://www.scribd.com/doc/2090673/DIR655-manual-11.

There if you notice, I specify one of the static IPs from the range given to me by Comcast and fill out all the necessary info. At the bottom it asks me for a MAC address. I can leave it to its default setting. But is that the right page that I am using to configure my static IP ? Also, any idea why my SMC Gateway is not on one of the IPs in the range given to me by Comcast. the 67.x.x.x address is the WAN DHCP address. Wouldn't that change ?

Also, pg. 8 in the following document is how my SMC Gateway's settings look like.

http://worknetkc.st.comcastsupport.com/ ... 20Document

Thanks again for all your help.

[YeOldeStonecat]

If you look at pg. 21 of this document, you will see the static IP setup screen of my router (Dlink DIR 655).

http://www.scribd.com/doc/2090673/DIR655-manual-11.

There if you notice, I specify one of the static IPs from the range given to me by Comcast and fill out all the necessary info. At the bottom it asks me for a MAC address. I can leave it to its default setting.

Ahh...yes, routers have the option to "spoof a MAC address"....that is nothing you have to deal with. Some ISPs used to reserve an IP address for you based on the MAC address. If you change router router for example (say one blows up)...a new router would have a new MAC address, since all network devices have a unique MAC address..much like the VIN on your car. You have the option of entering your old MAC so you get your original IP back that the ISP would reserve for you. Versus...calling the ISP to have them bind your original IP address to your new MAC address. Thus...MAC spoofing. Regardless, you can disregard that section and leave it default.

[YeOldeStonecat]

Also, any idea why my SMC Gateway is not on one of the IPs in the range given to me by Comcast. the 67.x.x.x address is the WAN DHCP address. Wouldn't that change ?.

Depending on the setup of the local Comcast branch near you, and how they have their DHCP and reservations setup...if your SMCs own address is different...also nothing to worry about. The ones I setup are usually right next to the IP block up where I am, but if yours is of quite a different range...don't worry about it, the 5x IPs that they reserved for you is what counts.

[YeOldeStonecat]

But is that the right page that I am using to configure my static IP ?

Pages 21-23....yes, that's it.

[YeOldeStonecat]

ge ?

Also, pg. 8 in the following document is how my SMC Gateway's settings look like.

http://worknetkc.st.comcastsupport.com/ ... 20Document

Chapter 3, page 10....checkbox for "Disable firewall for true static IP subnet only"....you will want to hit that, by default the firewall is running which will block port 80 and other stuff.

[cranialsurge]

Ooh, nice ! Thanks. Now, so do you think that the fact that my gateway is not on any of the IPs in the range Comcast assigned to me is a problem ? Also I am wondering what the WAN DHCP thing is that is the IP also reported by http://www.whatismyip.com. 67.x.x.x When I add my router to the gateway, it gets assigned an internal IP ... 10.1.10.x However if I assign the router a static IP like you said on that screen (dis-regarding the MAC address), would 10.1.10.x still hold ? I mean wouldn't the public IP that my customers would have to hit still be the Gateway's WAN DHCP ... the 67.x.x.x even though the router will now be on a public IP 123.x.x.x with all my servers inside the router?

[YeOldeStonecat]

Your SMC will, by default, get some public IP address on its WAN interface by Comcast. You can disregard what this IP address is...it's just an IP address to get it online with Comcasts network.

The device will "IP Map" your assigned 5x static IP addresses...sort of just act like a conduit. It's your devices with your manually entered static IP addresses that count.

So if the SMC gets some 67.xxx.xxx.xxx address, and the 5x static IP addresses that you are assigned from Comcast are something like 76.xxx.xxx.xxx., all you need to do is assign your devices those 76.xxx.xxx.xxx addresses. When you go online, and hit whatismyip.com, it should report a 76.xxx.xxx.xxx address to you. The fact that the SMC has another 67.xxx.xxx.xxx address doesn't matter....you're really just funneling through the SMC. That IP it gets, the 67, is just for them to get to it, manage it, for it to get online with their bandwidth.

Devices that you will plug into the back of your own router(s) will also get the correct 76. address when they go to whatismyip.com

[cranialsurge]

Alright, thanks a million for everything. So just to summarize everything, this is what I am going to do:

1.Permanently assign one of the DHCP generated internal IPs of the SMC gateway (e.g. 10.1.10.109) to my router that is connected to the gateway

2. Take one of the 5 IPs and assign it to the router dis-regarding the MAC address field as we talked about earlier
(e.g. 123.345.678.901)
3. Connect one of my servers to the router and have it permanently reside on a specified internal IP (e.g 192.168.0.145)

4. Now when I access the network from my server http://www.whatismyip.com should show 123.345.678.901 right ?

Also, I am now wondering what I should do with the other 4 IPs that I got.

[YeOldeStonecat]

Scratch #1.....no need to assign anything 10.1.10.xxx.

WAN/Internet port of your own router is plugged into 1 of the 4 LAN ports on the back of the SMC.

Steps 2, 3, and 4 seem correct.

Remaining question about the other 4x IPs? You can do a few things with those, depending on your needs. You can plug in a few more routers in the other ports of the SMC...and do the same setup..using those other static IPs.

Some routers allow mapping of multiple public IPs to them.

What is the make/model of your own router?

Not to skip out on you...but I have to log off for the night...wife calling me to to do stuff.

I'll be back online tomorrow morning before I do travel to a few onsites....and on/off throughout the day. Dunno your timeframe for this....but glad to help as much as I can.

---out for the night.

[cranialsurge]

In #1, the router is already connected to port #1 of the 4 ports behind my SMC gateway. But the SMC gateway automatically assigns internal IPs within a specified range to all devices connected to it (internal DHCP server), so the router gets an IP assigned, (e.g. 10.1.10.109). But after I assign one of the 5 external IPs to the router (e.g. 123.345.678.901) it will still appear as 10.1.10.109 to the gateway even though any computer browsing the internet connected to that router will show up as 123.345.678.901 on http://www.whatismyip.com. So I thought I might have to make sure that the gateway doesn't change the router's internal IP from 10.1.10.109 to something else as the SMC gateway implements an internal DHCP server. So with step #1 I meant that I would make sure that the lease on 10.1.10.109 was set to never expire. Is that step not required ?

My router is a DLink DIR 655. http://www.dlink.com/products/?pid=530

Thanks so much for all your time and patience. I couldn't have asked for more. I don't think I've ever come across someone as helpful as you on a forum before. Good night and again, I really appreciate it.

[YeOldeStonecat]

Correct...worrying about the SMC running DHCP, and the static IP on the WAN interface of your router...no need to worry about it.

Any device you plug in the back of the SMC, with TCP set to obtain auto, will get a 10.1.10.xxx address from the SMC, and appear to come from the SMCs 67. address.

Any device you plug into the back of the SMC with a proper static IP address like 123....will not ask for an IP address from a DHCP service, so the SMCs DHCP service near hears that request, and never hands out an IP.

I spaced out in asking what kind of router you have, can't believe I asked it again after even reading that screenshot of the manual and you already mentioned it. Doh!

[cranialsurge]

Heya there,

So guess what :|. I was so desperate to get things working and nothing I tried worked so I resorted to the forum, found an awesome guide in you and went back home last night to try things out. Worked for about 4-5 hours trying all sorts of attempts to no avail. Finally I resorted to calling Comcast tech support. The twits had assigned the wrong Static IP block to me !!! I mean seriously people !! "Business Class" it seems. And I wonder why everything that we talked about wasn't working. Thank you so much once again for your time and patience with this entire ordeal of mine. You've been awesome.

[YeOldeStonecat]

Ahh....glad they got it sorted out. On a side note, Comcasts Biz support has been one of the best I've experienced out of many ISPs...and I deal with a lot of ISPs on a regular basis.

Document all the settings you're doing very well. If a router goes up in smoke, you'll want to get a replacement and enter all those settings again as they are.

[cranialsurge]

Hey there. Yup Comcast's Customer Support was pretty prompt in handling my case. So I have the following setup now.

1. My router is connected to the SMC Gateway and has a public IP assigned to it
2. My Web Server is connected to the router and it has an internal IP (NAT)
3. I have allowed access to the Web Server by port forwarding port 80 requests on my router to the web server (using the internally assigned permanently leased DHCP generated IP address). In addition to this I had to configure port forwarding on the SMC gateway (True Static IP Management) to forward port 80 requests to the external static IP that my router is at. Without doing this even though the router was configured to pass all http (port 80) requests to the web server connected to it, it was not doing so, the gateway had to be configured too.

The last step poses another question for me, in this case how would I be able to have an additional Web Server serving http requests ? Port 80 on the SMC gateway is already pointing to the router.

[siggma]

Hey there. Yup Comcast's Customer Support was pretty prompt in handling my case. So I have the following setup now.

1. My router is connected to the SMC Gateway and has a public IP assigned to it
2. My Web Server is connected to the router and it has an internal IP (NAT)
3. I have allowed access to the Web Server by port forwarding port 80 requests on my router to the web server (using the internally assigned permanently leased DHCP generated IP address). In addition to this I had to configure port forwarding on the SMC gateway (True Static IP Management) to forward port 80 requests to the external static IP that my router is at. Without doing this even though the router was configured to pass all http (port 80) requests to the web server connected to it, it was not doing so, the gateway had to be configured too.

The last step poses another question for me, in this case how would I be able to have an additional Web Server serving http requests ? Port 80 on the SMC gateway is already pointing to the router.

After reading most of this thread it's become apparent that some of you don't comprehend what a "Router" is used for. Comcast has perpetuated some myth's in stating you can plug an additional router into the gateway.

Why would you ever want to plug one router into another router?
To add more NIC ports? NO, use a hub.
To get more addresses? YES, in very, very rare circumstances.
But you'd have to have thousands upon thousands of local computers on the local network to warrant adding a second router and it's subsequent additional NAT overhead.

NAT (Network Address Translation) is not free. It adds overhead to the TCP/IP protocol making packets headers longer than necessary. The Gateway is already a router and a NAT Firewall. There is no need to use a second device between your web server and the public internet.

Using the SMC Gateway Cable Modem you don't need a second router to serve pages to the internet and you don't need a separate router for other computers on the Gateway to use the internet. You can use the existing public IP of the gateway as long as you don't have any other service running on port 80 (web browsing is not a service, a web server is a service. NTP is a service, FTP is a service, SMTP is a service, POP3 is a service, IMAP is a service.). If you want to set up a second web server (Why???) plug it into the gateway, assign it a unique subnet IP (10.1.1.101) and use one of your other public IP addresses. Then forward port 80 for the second IP to the second web server. Using the SMC Gateway you can easily run four concurrent web servers. But again, why would you want to do such a thing? Even the fastest Comcast connection can be easily saturated by a moderate P4 or newer home computer running Apache2 or even IIS. And let's not forget torrents or emule.

First off I suggest you not use any version of IIS for web serving. Even Microsoft uses Apache2 for a web server on some of their sites that don't require MS specific services because it's just plain faster. IIS requires twice the RAM as Apache2 and its still slower. Apache2 runs under Unix, Linux, OS/X, PPC, and Windows on Sparc, Sun, Intel and AMD hardware and probably others so there is no reason to even install IIS. Plus, Apache2 is nearly free. (Do make a donation if you use it!) My home server runs Apache2 and uses a whopping 200-+ Meg of RAM on a 2Gig system. The remainder of the RAM is for disk cache. You need enough RAM in a web server so it almost never swaps. Swapping is the bane of any web server. Many Admins turn swapping off if they are confident the server will never need it. Mine can run for weeks without a single byte written to the swap file. If I see any swapping activity I check my logs. It usually means my configuration is messed up.

Onwards...

SMC Gateway Web Server; It's this easy:

1. Plug the web server computer directly into the gateway.
2. Configure it with a static IP on the same subnet as the gateway's DHCP server. Just make sure it's outside the DHCP range or you might end up with duplicate IP warnings and network failures/Gateway lockups. If the DHCP range is 10.1.1.10 to 10.1.1.50, 10.1.1.100 would be an appropriate address for your web server. Do make sure it's on the same subnet. Don't use 10.2.1.xx or 10.1.2.xx you'll have communication issues.
3. Always use 255.255.255.0 for the netmask everywhere unless you know EXACTLY what you are doing.
4. Set the DNS address of the server to the SMC Gateway IP (10.1.1.1) or whatever it is.
5. Set the Gateway address of the server to the SAME IP as the DNS above. In this case the Gateway serves as both your DNS and internet Gateway because it's acting like a computer itself. All data is passed between the gateway and the public IP. That's why it's called a Gateway.
   
   Alternatively you can look in the Gateway setup and set the DNS and Gateway addresses on the server to the values from the Gateway's public IP but it's unnecessary and one more thing to remember if you move the thing.
6. Navigate to your Gateway administration page in a browser and forward port 80 to the static IP of the web server. It's that simple.

Notes:

• Adding a second "gateway" or "router" between an existing gateway or router and your server makes it nearly impossible to debug communication issues. It also adds significantly to the TCP/IP packet header (sent with every 1500 bytes of data) and forces you to change port forwarding in up to three different devices if you want to make changes to your ports.
• Keep it simple. Read up on IP addressing schemes and make sure you know the difference between DHCP and DNS.
  If you are forwarding port 80 through a router you can disable the firewall on the server.
• There are two private network address ranges that are forbidden or ignored on the internet.
  192.168.x.x - 192.168.255.255 (65,536 addresses) is intended for personal home computers and small local networks.
  10.0.0.0 - 10.255.255.255 (1,048,576 addresses) is intended for campus sized networks for large corporations and educational institutions.
  REFERENCES

Lastly you can read some of my experiences with Debian/Apache2 here:
http://www.trbailey.net/tech/iptables.html

I currently run a home server at trbailey.net using a DSL modem and a web server. In my case the server acts as the "Gateway". No separate router, no hardware "Gateway". I ran across this post looking for experience setting up the Comcast Gateway I'll soon be using.
-Tom

[YeOldeStonecat]

After reading most of this thread it's become apparent that some of you don't comprehend what a "Router" is used for. Comcast has perpetuated some myth's in stating you can plug an additional router into the gateway.

Why would you ever want to plug one router into another router?

[*]Set the DNS address of the server to the SMC Gateway IP (10.1.1.1) or whatever it is.

You're missing the point of IP mapping. Matter of fact this is why the first IP address that Comcast assigns you is available for you to use on your own device. Thus your own router is getting the public IP address mapped to its WAN IP address. You are not double NAT'ing in this situation.

The SMC "gateway" is quite limiting. Suppose you want a much better router with substantially more features than that wimply little SMC can provide (not unlike the horrid SBC/ATT Yahoo "2Wire" gateways you get with DSL), or a UTM appliance.

Use the IP of the SMC for your servers DNS? Ever work with active directory before?

[siggma]

You're missing the point of IP mapping.

What, exactly, is "IP Mapping"?
Are you referring to "NAT" or a "Virtual IP"?
Can you provide a reference?

Matter of fact this is why the first IP address that Comcast assigns you is available for you to use on your own device.

Making sure we're talking apples and apples. The discussion is about Comcast Business Services, not residential. And what you say is apparently not correct. Generally speaking the gateway itself owns the static IP, not the device it's plugged into. The cable modem and some DSL modems as well, are configured when you turn it on by a BOOTP process. See: HERE for a discussion on how a docsys modem boots.

In any case, you cannot (apparently) plug in a Comcast SMC modem to NIC1, then assign your assigned static IP to NIC1 because the modem already has the address. It's not just a modem, it's a diskless computer in a box with an embedded router and firewall. It might even run a linux kernel...

Thus your own router is getting the public IP address mapped to its WAN IP address. You are not double NAT'ing in this situation.

Huh? Mapping?
No two devices on any network can respond to the same IP address or you get a huge collision, a hardware error and quite possibly a device lockup. Are you referring to bridged mode, where the router portion of the device is disabled? Apparently Comcast does not publicly support fully bridged mode for their gateways.

If the Gateway has a public IP and the external router requests a DHCP IP, or you assign it a static IP, the IP for the router will be NATTED through the gateway which adds overhead. Then any devices you plug into the router will be NATTED again, adding more overhead. If you then share the connection through the device plugged into the router you'll be NATTED one more time. Unnecessary overhead.
So again, huh?
And again, again, why?

Comcast business services is non standard when it comes to modems. The SMC Gateway modem itself has A (as in single) public IP, not the interface it's plugged into which is where much of the confusion comes from. I don't know for sure but they may share this special Gateway IP with many different modems when you request "bridged mode". In actuality I suspect it's configuring the gateway as a DHCP server so it will assign the range of static IP addresses that you purchased to the devices that are plugged into it, according to their MAC (hardware) address. In this case it's not using NAT, it's acting as a non standard local DHCP server for your local network. See: HERE. While the Comcast Business Services SMC Gateway apparently does not boot as a standard docsys modem, it does rely on the docsys standard to download it's configuration and assign itself an IP. I've read that you can whine at comcast and they will set your account up using a "Sticky" DHCP address. That way it works like a residential setup only it is always assigned the same IP making it "static", which is what I'm going to request when they do finally get here. The stick DHCP solution has the advantage that you don't need a gateway modem at all. You can use a standard docsys cable modem and set your server to DHCP and it will always get the same IP address. But, it will only work with a single IP.

Unlike an Actiontec DSL modem where I can place the modem in bridged mode and it acts like a dumb modem. No address, no gateway, no firewall, no NAT, no nothing. Just like an old dial up modem. However, the Comcast gateway downloads a Comcast specific custom configuration file upon booting. This configuration file assigns the Gateway itself an IP. It then translates the public static IP (using NAT) to an internal network address.

The SMC "gateway" is quite limiting. Suppose you want a much better router with substantially more features than that wimply little SMC can provide (not unlike the horrid SBC/ATT Yahoo "2Wire" gateways you get with DSL), or a UTM appliance.

It seemed to have rather extensive port configurations to me. Host, domain, IP, even URL blocking plus standard port forwarding and of course, routing tables. What else do you need in a router?

And, you can always set it to DMZ use the firewall and routing facilities of your server or desktop.

Use the IP of the SMC for your servers DNS? Ever work with active directory before?

192.168.0.1 is the default address
Windows internet sharing does this.
Nearly all commercial routers do it this way.

And, DNS is not the same as WINS. Active Directory uses a separate WINS server to find Windows specific services. If you have a windows domain server it will contain a WINS server and you'll need to configure it's IP separately on a Windows box. And the domain server can use the gateway IP for it's upstream (internet) dns. But since most web servers don't care about active directory services it's not really germain to this topic. Not to mention it's way beyond the scope of this discussion.
-Tom

[YeOldeStonecat]

When you sign up for a static business account with Comcast, refer to the information sheet that you are given. Compare the IP that the SMC obtains on the WAN interface, with the IP's in the block that are assigned to your account and are available for you to use.

No kidding 2x devices on the same network cannot have the same IP address, I never stated they would/should.

I think you need to go through a few dozen Comcast biz account setups to get familiar with their process.

I never stated the SMC would be reconfigured as a bridge either, versus how I setup hundreds of DSL modems. Again, refer to the IP that the SMC obtains, and the IPs you're given in your account info sheet from Comcast when you sign up.

And the default LAN IP for the SMC is not 192.160.xxx.xxx

siggma:"And, DNS is not the same as WINS. Active Directory uses a separate WINS server to find Windows specific services. If you have a windows domain server it will contain a WINS server and you'll need to configure it's IP separately on a Windows box."

Huh? Not true since quite a few years ago.

WINS...ahh good OLD WINS. WINS is long dead dude! Since Windows 2000/Server 2000 came out, WINS has been retired as a means of name resolution across a LAN. DNS does it all. WINS was used in the old NT 4 days, and sometimes it's used if some networks (god forbid) still have Win9X clients around for some who knows why reason.

When running active directory, your servers must...MUST..use the IP of the domain controller as their DNS server, and workstation clients MUST use that IP as their DNS server. So if the DC for the LAN has a LAN IP of 192.168.1.10, it MUST use itself as the DNS server in its TCP properties, and workstations must use 192.168.1.10 for their DNS server. If you replace .10 with the .1 address of the gateway, active directory will break, no name resolution, no proper AD logins, slow logins, all sorts of issues. The network will be broken.

[siggma]

It sounds like you're more interested in being "right".

TCP/IP networks are complex entities, and purposefully so. With greater complexity comes greater potential opportunity. There are many different ways to set them up. The topic is getting a web server to work through an SMC Gateway/Router via Comcast Business Services.

My statement that it's unnecessary to use a second router still stands.

You never provided any references for the term "IP Mapping". Google provides links to ip to map coordinate sites for the term.
I think you're referring to "Network Address Translation".

[YeOldeStonecat]

My statement that it's unnecessary to use a second router still stands.

You never provided any references for the term "IP Mapping". Google provides links to ip to map coordinate sites for the term.
I think you're referring to "Network Address Translation".

And I never said I like to double NAT either. Matter of fact...none of my clients are even on double NAT. You're missing the point when you "bypass" that SMC gateway and static assign the public IP address to your own firewalls WAN interface.

My statement that WINS is outdated and no longer commonly used still stands.
My statement that DNS provides local network browsing/name resolution still stands.
My statement that you need to look at your Comcast IP block information sheet still stands, and while at it..compare the WAN IP of what the SMC device gets....against the first IP in the sheet Comcast gives you. That's your first clue.

I've done around 25 maybe 30 setups on Comcasts biz product. The methods I've adopted in setting up there devices are based on listening to their techs recommendations in setting up your own router on their devices.

No it's not NAT.....I think you need to go through a few comcast biz setups and see what I'm talking about.

Web servers.....I would never...ever...put a web server inside of a basic NAT router alongside of my primary business network. Might as well remove the NAT and firewall....because your network is almost as exposed by that method. Orangee zone those web servers if you must host them on your own premises. Or..isolate them on their own behind their own routers, so that they're separated from the business network.

[siggma]

Ok, having successfully installed my Comcast SMC Gateway in "passthrough" mode without any external routers of any kind, here is how I did it. It's even easier than I thought.

As I suspected, the SMC gateway can operate in several different modes. That's why Comcast uses them, they are very flexible.

As a simple gateway (not for running services) it boots and request an ip from the "head". In this case the Gateway owns the single IP address. It then uses NAT to translate that public IP to network 10.1.10.x on the lan side of the Gateway. This is nearly identical to using a regular cable modem with an external router. The gateway has some internal features that a standard Linksys router does not, but it's operates in a very similar way. In this mode your firewall is in the gateway so you are limited by what it offers. This means you cannot load external firewall modules like TARPIT (a nasty way to discourage hacking) or conntrack (connection tracking/logging) or connlimit (connection limiting). Personlly I'd only use this if I were going to provide internet access only to a business.

As a gateway in "passthrough" mode it boots and requests two IP addresses. One for the gateway itself (so they [comcast] can address it) and one for YOU. It then assigns the lan interface the single static IP address you purchased from comcast and uses the gateway IP for it's tech interface. This is the mode I chose. I also disabled the firewall and router in the gateway since I already have my linux server set up as an effective firewall router. I also turned off the DHCP server in the Gateway since I already have one on my server as well.

To configure MY static IP address I simply assign the NIC on my server the IP they gave me, paying special attention to the nonstandard netmask and off It goes... I did have to fiddle with DNS servers since comcast supplies only lookup services on their DNS.

If I need or want a second static IP all I have to do is call. They edit the configuration on the "head" for my account and next time I reset the modem I get TWO static IP addresses on the LAN side. I would then add a second IP to the existing NIC or plug the Gateway (hub) into a second server and assign the NIC in that server the second IP address. I may end up doing this since comcast does not provide authoritative DNS servers for their business clients and I'd like to fiddle with having my own Authoritative DNS server for my puny little domain.

As for using this with a domain controller. The process is no different. Tell comcast you want your static IP(s) on the LAN side (up to 13 addresses) and let them do their setup on the "head". Reboot the gateway and vuala, your static IP(s) automagically appear on the LAN ports. Assign your domain controller(s) one or more static IP's and let er rip. You would then point your Windows CLIENTS at your domain controller through a hub or routers if you have that many windows clients, and let it/them serve ALL your network needs, including internet. There is no reason for a windows client box to even touch the gateway except through the domain controller. Setting up internet sharing on a domain controller is as easy as checking a few boxes in the configuration application. It's been a while since I had a version of Windows Server 2xxx running here. I dropped it because it was so slow and at the time it did not have good support for PHP.

And again, there is no need for an external router between the SMC and yoru servers, the SMC gateway is already a router.

As for address "mapping", there is no such thing. The gateway has two Ethernet interfaces in it. One on the cable side and one on the LAN side. They cannot both have the same address. When you request passthrough mode comcast writes a config for you on the "head" that requests two IP addresses. One for the gateway itself (cable side) and a second for the gateway to assign to the LAN side. They need that gateway IP (it's unusable to you except to gain access to the gateway web interface) so they can do remote testing and check your setup if it's buggered up. It's not used in any way for internet communications.

And that's the scoop. I'm writing this on my Vista desktop hooked directly to my internet server in the next room. My server is plugged directly into the gateway as this picture will verify. I have three NIC's in the server. One is a gigabit for my desktop, the second is unused and the third is my comcast gateway. It's a mess at the moment and I don't have a nice utility closet for a rack of Intel Xeon Quad core IX5 Server boards but it's home and it works.
-Tom

[siggma]

And I never said I like to double NAT either. Matter of fact...none of my clients are even on double NAT. You're missing the point when you "bypass" that SMC gateway and static assign the public IP address to your own firewalls WAN interface.

---snip---

I've done around 25 maybe 30 setups on Comcasts biz product. The methods I've adopted in setting up there devices are based on listening to their techs recommendations in setting up your own router on their devices.

No it's not NAT.....I think you need to go through a few comcast biz setups and see what I'm talking about.

I have gone through the setup and I still say NO to unnecessary external routers. Your Domain controller IS a router.

I think it might be a bit of confusion on your part about how the Comcast Gateway's work. See my post and ask comcast.

It also might be confusion on your part about how a firewall operates. It's nothing like the firewall they describe on, say, Stargate Atlantis...



Are you trying to convince us or are you interested in learning and developing your skills.

Web servers.....I would never...ever...put a web server inside of a basic NAT router alongside of my primary business network.

Not sure what you mean. Physically or in address space?
Isn't this exactly what you're describing,?

SMC Gateway->LinkSys/Cisco router->clients / servers

Is there perhaps an easier, less confusing way for you to do these setups?

SMC Gateway->Domain Controller->Windows Clients

Windows Domain Controllers have a stellar firewall and are RIP2 routers to boot. Making external routers unnecessary overhead. They are not as flexible as Linux with Iptables & tc but they have most of the features you'd want in a high quality commercial grade network firewall.
-Tom

[YeOldeStonecat]

As a gateway in "passthrough" mode it boots and requests two IP addresses. One for the gateway itself (so they [comcast] can address it) and one for YOU. It then assigns the lan interface the single static IP address you purchased from comcast and uses the gateway IP for it's tech interface. This is the mode I chose. I also disabled the firewall and router in the gateway since I already have my linux server set up as an effective firewall router. I also turned off the DHCP server in the Gateway since I already have one on my server as well.

I have gone through the setup and I still say NO to unnecessary external routers. Your Domain controller IS a router.

I think it might be a bit of confusion on your part about how the Comcast Gateway's work. See my post and ask comcast.

It also might be confusion on your part about how a firewall operates. It's nothing like the firewall they describe o
Web servers.....I would never...ever...put a web server inside of a basic NAT router alongside of my primary business network.
Not sure what you mean. Physically or in address space?
Isn't this exactly what you're describing,?

SMC Gateway->LinkSys/Cisco router->clients / servers

Is there perhaps an easier, less confusing way for you to do these setups?

SMC Gateway->Domain Controller->Windows Client

Exactly..you're almost getting my point. However, you'll find most IT guys that setup and support networks for businesses will not want a Windows server exposed on a public IP address. If you like running your Windows Server multi-homed doing RRAS..fine, but most of us in the community do not. Even if it were running ISA...too much maint and constant monitoring and patching. We prefer to keep our clients network fully protected behind NAT..and then some.

Do you do any work in consulting/supporting SMB networks? If you do, and you prefer the method of having your clients Windows servers and workstations on public IP addresses...wow, I hope your clients don't have much for information and can afford downtime while formatting machines on a regular basis.

You argue against using your own router behind the SMC...yet you quote "This is the mode I chose. I also disabled the firewall and router in the gateway since I already have my linux server set up as an effective firewall router."

I take the first public IP address from the block of 5 that Comcast assigns my client..and I assign that to the WAN/RED interface of a firewall/router that I put in place. This way the entire network is protected from the internet.

"External routers additional overhead?" Yet another service I don't want on a domain controller..besides the massive increase in a DC coming under attack from the internet, it adds overhead. We want our DCs running lean and mean doing basic infrastructure roles for our clients network. We don't use home grade routers either, we use business grade hardware at the minimum..so there's no performance loss here.

The basic mindset here...the SMC appliances used by Comcast are insufficient for most of my clients needs, sure they're fine for the average home user and very small business networks. But I, as well as many other techs, prefer to use superior routers/firewall instead of the SMCs.

Webservers...you'll find most IT consultants don't want webservers on the same LAN as the primary business network. Webservers are a huge security hole for the network.

What you're calling "passthrough mode"...you don't have to request that at all. When you sign up for a static biz account with Comcast...the modem getse installed. You are handed a sheet of paper with the details of your IP block they assign to your account. From that point on, you do what you want. Either use the SMC in its default mode..plug your network into it, your network gets a 10.1.10.xxx address..and yes you can indeed surf the internet. You state "It's not used in any way for internet communications."...that's not true, I can go to any of my clients..plug my laptop into the back of the SMC and my laptop will pickup a 10.1.10.xxx address..and I can surf the internet on the IP address the SMC has on the internet (which is a different IP from the static assigned IP to my firewall). That's the ease of leaving DHCP enable on the SMC..you actually don't have to disable it, since if you're using your own router with your assigned static IPs and you plug that info into the WAN interface of your own router.

[siggma]

Moved to a new thread, see here:https://www.speedguide.net/forums/viewtopic.php?t=262721

[antseo]

Hi. If I could piggyback on this thread and receive some help that would be great. I had a Juniper firewall tech come in to set up my new Juniper firewall. He installed 2 subnets..subnet 1 for personal use and subnet 2 for business use. I'll be setting up a new web server on subnet 2.

I do have comcast business line as well and 13 assigned to me according to the comcast tech that came out and set me up. I also called a business line tech last night to confirm that indeed those static ips were assigned to me. He comfirmed they were. He had me do an exercise where I ran the cable directly from the comcast modem to the laptop and we plugged in the tcp/ip settings and we confirmed the ip assigned to me came up (I believe in ipconfig in cmd prompt but I can't remember).

The problem arose after the firewall was set up that the ip showing up for us was not the ip assigned to me. It appeared to be an ip starting with 10.1.x.x but not the static ip assigned to me.

Also, a concern that this tech that installed the firewall had was that my name was not listed in the Arin Whois database for this range of ips. Comcast is mentioned in top and bottom lines. He said my name (or my company) should be on the bottom line. Is that correct? Should my name be listed there?

I also am going to be repurposing 2 other machines as dns servers into subnet 2 but this whole ip/firewall issue needs to be resolved first. The tech is coming back out tomorrow evening to figure out why the modem is sending the firewall the wrong ip (again, it's sending it the 10.1.x.x ip).

Also, my phone service is not working as a result of the firewall being setup. Not sure if anyone has insight into a fix on that too.

Any help is appreciated greatly.

[siggma]

The address you see (10.1.10.x) is from the Gateway. In default mode it generates an internal address via NAT.

To use a static IP, on the computer you plug into the interface, assign it one of your Static IP addresses. Also make sure you use the correct netmask and DNS servers from your Comcast sheet. It should then be "public", assuming you have a domain name registered and an A record pointing to your static IP.

[YeOldeStonecat]

Hi. If I could piggyback on this thread and receive some help that would be great. I had a Juniper firewall tech come in to set up my new Juniper firewall. He installed 2 subnets..subnet 1 for personal use and subnet 2 for business use. I'll be setting up a new web server on subnet 2.

I do have comcast business line as well and 13 assigned to me according to the comcast tech that came out and set me up.

Your setup is quite similar to all the prior posts in this thread, the 10.1.xxx.xxx is standard for the SMC. What you do with your 13 static addresses is up to you, but you have to go in and assign devices those additional public IP addresses. By default you don't have them.

What model Juniper?

[antseo]

The model number Juniper is the SSG5 with auxiliary backup. Just got it this week. It's using version 6.x I believe.

Where in the Juniper admin ui do I assign those static IPs? Which link in the tree nav do I go?

Also, any idea why my phone line is not working?

Also, is it a big deal that my company is listed in the Arin Whois DB? Users should be able to find my dns servers once I set those up, correct? This tech mentioned something about a reverse dns lookup but I don't know what that is about.

[antseo]

sorry, need to rephase that last question.. should be.. Also, is it a big deal that my company is NOT listed in the Arin Whois DB?

[YeOldeStonecat]

With your block of 13x static IPs....how you setup your network is dependent on a few things.
*How large will your network be?
*What "services" do you need to have on public IP address(es)

Once you kind of have an idea of what you expect out of your network, I'd have the Juniper tech come back..hand him that information about your static IPs from Comcast, and work with him on coming up with a network design and how to best implement the services you need, with your setup. I'd also include mentioning your phone service, since you say it stopped working once the firewall was up, I'm guessing you have a VoIP phone service? The guy that setup the Juniper needs to know that info, so he can setup the QoS 'n such for your VoIP service.

If you go to http://www.whatismyip.com is the IP address that shows up one of the IP addresses in your block from Comcast?

[antseo]

yes, I'm using voip using T-mobile @home service. They provided the Linksys router.

If the firewall is set up and I go to http://www.whatismyip.com, it's not one of my assigned static ips.

How would he set up the QoS and where is done.. in the linksys router settings, firewall settings?

[YeOldeStonecat]

Oh they have a Linky router too? Or just their VoIP box? How is that interfaced into the network?

[antseo]

not sure about that. T-mobile came in and installed the t-mobile@home service and set up the linksys router. now according my tech guy, the router has nothing to do with ip issue. the modem is not passing the correct ip to the firewall supposedly. when I plug in the cable directly from the modem to the laptop and change the tcp/ip settings, I get the correct assigned ip at http://www.whatismyip.com. When I remove those tcp/ip settings and plug in the firewall, I get the dhcp ip from comcast. So..

Subnet 1 = modem -> router -> subnet 1 on firewall which is personal
Subnet 2 = firewall (which is business) -> Internet port on linksys router

[YeOldeStonecat]

Usually with VoIP boxes, I'm not familiar with the ones from your provider, but I commonly setup similar ones from Vonage and other services in my area. The unit they send you is a router itself, but you can use it behind your current router just fine. It will have colored ports on it, probably blue and yellow, if you're using it behind your own router you use just 1 of those ports. Probably the yellow one, just uplink it to your primary switch which is plugged into your main router.