Skip to content
DManciniXDS's profile

New problem solver


21 Messages

Sunday, September 12th, 2021 9:03 PM

Inbound Traffic on Gateway IP

So I just got Comcast Business with 5 Statics.  After some (lengthy) experimentation, I finally got my static IPs sorted out by assigning each of the 5 statics as a separate IP on the IPv4 interface of the NIC for my Windows Server box (also ordered a multi-port NIC) and then using True Static IP Port Mgmt. on the gateway to allow only the desired inbound ports (80/443 for now).

Since I have (for example) x.x.x.15 – x.x.x.19 as my 5 statics, and x.x.x.20 as the gateway, doesn't that technically make for 6 static IP's, since the gateway IP (I assume) doesn't change, and since it is possible to map inbound traffic for the gateway IP using "regular" Port Forwarding?

My real question is this:  Are there any business / practical / security / ToS-related reasons *not* to accept any inbound traffic on the gateway IP itself? (E.g., reduced throughput, safety concerns due to handling or increased likelihood of DDoS, not allowed by Comcast ToS, etc.)

Reason for asking is that I planned to use the 5 statics to divvy up amongst some small sites and web apps I'm serving, and had planned to use the gateway IP to accept connections for a VPN-passthrough down to a router on which my home network is based (subnet of which is thus isolated from the public server; poor man's firewall).

But, it occurred to me that since Comcast advertises it as "5" statics, rather than six, maybe there's a good reason not to accept inbound traffic on the gateway IP.  Thoughts?

New problem solver


25 Messages

2 years ago

I had the "5 static addresses" for years and recently upgraded to the "13 static addresses"  along with faster service. When you get static addresses, you are essentially assigned a 2, 3, or 4 bit subnet (i.e. a /30, /29, or /28 in CIDR notation)

in every case, the first and last addresses in the block are the network and broadcast addresses and can't really be used for anything other than routing information.  the second to last gets taken by your comcast gateway, and the remaining addresses can be assigned to your network devices, servers, whatever..

as you've found out, it's possible to enable port forwards from the gateway to an internal address on the private subnet that the cable modem assigns to it's LAN interface... you can forward one port to one device and another port to a different device if you want, or you have the option of setting a DMZ device where all inbound ports are forwarded to one internal address except things filtered out by the firewall.  This has the effect of giving you what is essentially one more public address.  I operated like that for a while and it worked fine, never got any nastygrams from Comcast.

One caveat to consider is that packets arriving at the public gateway address from your private network or your other public IP addresses do not get NAT'd or forwarded so while the rest of the internet will see that address and port as though it were the intended device, all your internal stuff will just see the comcast gateway so you'd have to access it using it's private IP address instead.