Connection Pro and Real Enterprise Firewall (sonicwall, sophos, cisco etc) Failover Failure
Sorry for the Crosspost - I initially put this on hardware but see the sticky on the connectivity forum advertising the Connection Pro Service.
I have been searching for a month, and I have been unable to find a post or a support person at Comcast that can address what should be a straightforward setup for any dedicated business failover. I have accomplished this with multiple providers (i.e., Comcast and T1), but I can't seem to get it working for Comcast connection Pro and the Cradlepoint. This is what I have before setting up the Comcast 4G backup.
1. We have a Comcast gateway with a static IP.
2.The Comcast gateway gives my firewall WAN1 a static IP.
3.The firewall does all the routing, DHCP, and endpoint protection for my client.
In any IT world I have ever experienced in my 20 years, the backup connection (4G or any other) would plug into the firewall as WAN2. The firewall controls the actual failover.
I am told: The Cradlepoint can only do DHCP, which in my installation is just fine since all they need is outgoing internet and no VPN's or direct connections.
If I plug the Cradlepoint into a WAN2 and set it up for failover, it does NOT provide a DHCP IP to the firewall. I have even tested this by pulling the gateway power and seeing my firewall failover seamlessly. But the cradlepoint does not kick in. Everyone in Comcast tells me that the gateway must be connected to the cradlepoint, and the cradlepoint MUST be the DHCP for the local network. That means no more firewall and all real protections must be removed for Connection Pro to work.
I beg of someone here to tell me I am wrong, and I have not found the right person with the necessary network failover experience to say to me I am wrong, and this can do a proper failover.
I have never heard of any enterprise or small business firewall that can use one WAN input and automatically switch it to DHCP. It's always a 2nd input into the firewall that is configured to the 2nd backup WAN connection. Comcast I could sell 100 of these Connection Pro systems in the next year if that can be accomplished. The Cradlepoint hardware will do this independently, but it seems Comcast had locked them down to only be used INLINE.
FYI. If my firewall had a sim chip input, I would plug the sim from the cradlepoint into the firewall, but my firewall does not have that.
Any help would be much-appreciated PM or publically. I have seen many people all over the internet who can't seem to get this done or get a clear answer. The Comcast clients need to have the information. Support telling us that the IT people must figure it out from there is just not acceptable. Our installer instructions came as 3 handwritten lines on the back of an envelope.
I am an IT professional with 20 years of experience and know my networking. Why does no one at Comcast understand it, or is there any clear technical information. I was on with Level 2 for an hour today, and it's like talking with his cousin's friend's brother, the IT guy from the old neighborhood.
Please help me understand this and provide a solution for me and everyone. Otherwise, it's a paperweight that's going back.
The IT Guy 🙂
3 years ago
I am in the same boat and actually just started a new thread about this. I was assured by Comcast that this would work but seeing how it is set up I do not see how if my firewall cannot go from static to DHCP on the same port.
I was told by an onsite tech that these were meant for small mom and pop type shops where everything is just managed by the modem. If that is the case then this should be explained to us so we know that it is not meant for a business grade environment.
But I would love to have someone tell us that there is a way to get it to act as a real failover directly to a firewall.
3 years ago
I was able to get this to work last night on a Sonicwall. I plugged the CradlePoint from port 1 into X2 on my Sonicwall. The Comcast tech that came out to do the set up had it plugged from WAN to the modem.
I set up X2 to be a WAN connection with DHCP and renewed the IP for that interface and was able to get an IP. I had to reboot a computer here to test the failover since this site has Azure AD set up with no on prem servers so DHCP and DNS are provided through the firewall. It was up and running and yes it was slow but worked for my client.
So yes, it is possible but you would have to make sure you actually set it up and not rely on Comcast.