Skip to content
derekc's profile

Occasional Visitor

 • 

7 Messages

Tue, Aug 25, 2015 9:00 PM

Firewall setting and port forwarding with Cisco DPC3939B with 5 static IPs.

My setup is just a Cisco DPC3939B with 5 static IPs, no router no firewall after it. It connects to an ethernet switch just like all my other devices on the LAN do. The LAN is a Windows active directory domain with Exchange 2010, web server, a few PCs, tablets, and a few IP cameras.

The LAN is 192.168.0.x/24. So after Comcast told me the Cisco DPC3939B is enabled with the 5 static IPs. The first thing is to change the LAN IP on the DPC3939B from 10.1.10.1 to 192.168.0.1, then disable the DHCP server. Now my PC's on the LAN can get IP from the windows DHCP server (and registered with the active directory) and get to Internet thru the DPC3939B at 192.168.0.1.

Then, next is to setup the 1:1 NAT under Advanced, NAT:

 

 

2015-08-25 20_59_07-Advanced _ NAT _ - Comcast Business.jpg

 

Suddenly, my mail server gets incoming emails and my web server is browseable from Internet. Yay!

 

Question I have now is if my servers are on Internet totally unprotected or the DPC3939B has a few ports opened by default to each of the 1:1 NAT addresses? Here is the confusing firewall menu in its default setting:

 

2015-08-25 21_23_57-Gateway _ Firewall _ IPv4 _ - Comcast Business.jpg

 

1. What is "Disable Firewall for True Static IP Subnet Only"?

2. When I check on "Disable Ping on WAN Interface" and click Save Settings, it unchecks itself. Bug?

3. It is by default at Minimum security. What is " Block as per below and enable IDS IDENT (port 113)"?

 

So, I googled around and this thread has similar situation:

Domain Names/Static IP

 

According to VBSSP-RICH, I need to uncheck "Disable Firewall for True Static IP Subnet Only" and then I need to go to Advanced, Port Mgmt, and uncheck "Disable all rules and allow all inbound traffic through" and select "Block all ports but allow exceptions below":

 

 

 

2015-08-25 21_34_55-Advanced _ Port Management _ - Comcast Business.jpg

 

Now, the MAIN QUESTION is before I add rules for the port forwarding, my mail server still gets incoming emails (or mxtoolbox.com tested with response from my mail server) and my web server is still browseable from Internet. Why? Does it mean my servers are totally out in the open?

 

I hate this stupid DPC3939B. Yet I can't set it to a bridge and I don't want to invest into another router (that can support multiple WAN IPs) and have one more piece of device to manage. 

 

What did I do wrong?

 

 

Responses

Occasional Visitor

 • 

7 Messages

6 y ago

How can I get Comcast to answer this question?

Or anyone please try to duplicate this problem. If it is true, then your server is totally open to the Internet.

Occasional Visitor

 • 

7 Messages

6 y ago

Anyone reading this please?

Occasional Visitor

 • 

9 Messages

5 y ago

Did you sort this out? I'm having simialr issues as to setup configuration.

Occasional Visitor

 • 

7 Messages

5 y ago

Nope. I thought I was the only one. 

I can say that if you have multiple (not just one) static IPs. the firewall on Cisco 3939 will just WIDE OPEN after you set your 1:1 NAT. Say if you have a mail server with port 25 SMTP open, go to mxtoolbox.com and test it, EVEN IF YOU TURN ON THE FIREWALL AND NO PORT FORWARDING RULE SET UP, MXTOOLBOX WILL STILL BE ABLE TO GET TO YOUR SMTP PORT.

JeffreyWest, can you please confirm that?

Anyone else experiencing the same?

Anyone else has a solution?

I do want to add another firewall after the 3939. The 3939 is supposed to do the firewall job (and port forwarding). It is sad that Comcast would just say configuring our internal LAN is our job, hire professional if you can't figure out how.