Equipment (Modems,Gateways)
Back to Top

How to bring your own equipment and have static IPs

Solimk
Occasional Visitor

How to bring your own equipment and have static IPs

While it may be going away. Classifying ISPs under Title II is a great thing, and requires that an ISP (Comcast) let you use your own equipment.  This is federal law, and even if Title II was repelead. Saying it is technically mandatory for you to use comcast's equipment just to get you to rent it, I'm pretty sure that could violate parts of the uniform commercial code, but let's just say the tech's don't know any better.

 

Let's clarify some things.

1. Comcast owns no propietary internet technology everything from your modem / router to their hub runs on well known standards usually described in RFC's

 

2.Every piece of comcast equipment you will see is mass produced linksys / netgear low end devices.

 

3. Comcast uses a well known standard called DOCSIS 3.0 to get you internet over coax, tftp to load your modems config and SNMP to manage it. While they have some smart people. They didn't make any changes to the standards and while some of them may have been a part of the design, I doubt it.

 

4. Comcast built it's one custom web interface for your device specificially designed to prevent a consumer from getting full access to their information.

 

5. Aside from popping up xfinity hotspots these modem/routers scan your internal network and are vulnerable. The CG300DCR for instance. You cannot fully turn off or change the 10.1.10.1 ip addresses. You can't isolate them. it also has an way more open ip address if 192.168.100.1/24. It will respond to DNS requests from almost any local ip set. It will grant that 10.1.10.1 access to the internet, and so on. It really is insecure.

 

6. At no time are all the Static IPs loaded into a comcast modem router. That doesn't even make sense.

 

Here is how comcast does their static ip address configuration.

 

There is a virtual port (or perhaps it's the coax port) that gets a dynamic public ip address. This is not part of your static range.

The modem/router then gets the default gateway IP address assigned to another virtual port. Which those ports on the back can talk to. 

 

What needs to be loaded is the dynamic routing config. (because apparently one spoke site couldn't possibly work with a static routing. That'd be to easy).

 

Comcast uses RIPv2 with an authentication key to do route updates. The comcast techs can log into your modem and see what this authentication key is, among other things and make other changes.

 

I rent a business class internet with 13 static IPs and I finally found an employee who would provide the info. I am running a CPE TP link modem in bridge mode and my Cisco 4948 is doing the RIPv2 routing, and it works, and a device I can fully control is now the gateway, which for people who use their own firewalls or perhaps like to not do nat on an internal network between public and private ips,and while I acknowledge that some of the comcast routers can do some of this, they don't do it well, their techs aren't informed and it just creates more headaches for the it department.

 

Anyway here's the excerpted config from my cisco 4948 switch, but any device that supports RIPV2 will be able to handle this.

 

So get a CPE modem and put it into bridge mode (I used a TPLINK 7620)

 

plug it into a port on the cisco switch (I used Gi1/1)

 

Configure rip globally. (notes in bold

 

////

router rip brings you into the rip config
version 2 specifies version
no validate-update-source This may not be necessary. In fact comcast doesn't send any rip routes your way
passive-interface default This turns off RIP messages going out all the interfaces on your switch,
no passive-interface GigabitEthernet1/1 This tells it to use port Gi1/1 to send RIP routing info
network 0.0.0.0 so this is lazy, it identifies any network you want to advertise and advertise on, but because the wan ip is dynamic there was really no other way
distribute-list 28 out GigabitEthernet1/1 This refers to an access list and uses it to prevent you from sending internal routes out to comcast
no auto-summary This is probably unecessary but a hold over from training or a place I worked

//////

 

 

////////  So  this access list basically blocks any private ip address from being advertised to comcast. (and I hope they have some safequards on their end. If you have other wan links in your network I would add them to deny statements if possible

access-list 28 deny 10.0.0.0 0.255.255.255
access-list 28 deny 172.16.0.0 0.15.255.255
access-list 28 deny 192.168.0.0 0.0.255.255
access-list 28 permit any

////////

 

/////// this is the authentication key for the rip messages, I've blocked it out. It's done in the global config

key chain comcast
key 1
key-string 7 ##########################

////////

 

 

////////// Interface to comcasat router

interface GigabitEthernet1/1
description /Link -> Comcast Router/
no switchport
ip address dhcp tell's it to grab an ip address via dhcp. Also on cisco make sure you don't have a gateway of last resort. this will add one to your config with a space than 254 at the end. If you have another one pointing at the same interface it will screw with your performance on some models
ip rip authentication mode md5
ip rip authentication key-chain comcast
ip summary-address rip xx.xx.xx.xx 255.255.255.240 this should be your static ip address, makes it really easy for rip to advertise
no cdp enable 
spanning-tree bpdufilter enable

//////////////

 

 

///////////////So to each his own, but I use Vlans and this just happens to be where my static ip vlan is.

interface Vlanxxx
description /Static Gateway/
ip address xxx.xxx.xxx.xxx 255.255.255.240

////////////

 

and we're done

 

 

 

 

 

 

 

 

 

3 REPLIES
pgfitzgerald
Occasional Visitor

Re: How to bring your own equipment and have static IPs

This is very interesting!

 

How did you manage to get the CSR to give you the RIPv2 authentication key?

 

Were you able to return their gateway and have the $15/month fee removed from your bill?

 

Thanks!

 

Paul

Solimk
Occasional Visitor

Re: How to bring your own equipment and have static IPs

I wasn't able to reply earlier for some reason. The comcast rep just gave it to me. It actually worked for twelve hours. (I believe they rotate their keys daily or weekly through SNMP) and then another rep gave me a key. I got high up in the corporate net until I got told that it wasn't going to happen and It's inpractical to change the keys daily. I am still actively fighting this. Comcast is a title II covered entity which means they are covered under federal law specifically.

 

  • 8.5 No blocking.

A person engaged in the provision of broadband Internet access service, insofar as such person is so

engaged, shall not block lawful content, applications, services, or non-harmful devices, subject to

reasonable network management.

  1. Section 8.7 is amended to read as follows:

 

  • 8.11 No unreasonable interference or unreasonable disadvantage standard for Internet conduct.

Any person engaged in the provision of broadband Internet access service, insofar as such person is so

engaged, shall not unreasonably interfere with or unreasonably disadvantage (i) end users’ ability to

select, access, and use broadband Internet access service or the lawful Internet content, applications,

services, or devices of their choice, or (ii) edge providers’ ability to make lawful content, applications,

services, or devices available to end users. Reasonable network management shall not be considered a

violation of this rule..

 

and

 

No-Unreasonable Interference/Disadvantage Standard.


Transparency Requirements.

216. For a practice to even be considered under this exception, a broadband Internet access
service provider must first show that the practice is primarily motivated by a technical network
management justification rather than other business justifications. If a practice is primarily motivated by
such an other justification, such as a practice that permits different levels of network access for similarly
situated users based solely on the particular plan to which the user has subscribed,558 then that practice
will not be considered under this exception. The term “particular network architecture and technology”
refers to the differences across broadband access platforms of any kind, including cable, fiber, DSL,
satellite, unlicensed Wi-Fi, fixed wireless, and mobile wireless.559.

 

Here's a hint engineers it's called static routing or ACLs on your routing protocols, and why can't I have snmp and syslog access to the modem router?

 

anyone please pm me if you have more questions

seanpdiaz
New Member

Re: How to bring your own equipment and have static IPs

I am curious as well, were you able to get this working and return their gateway and get the $15 taken off of your bill. 

Discussion stats
  • 3 replies
  • 777 views
  • 0 kudos
  • 3 in conversation