Skip to content
heliotech-it's profile



4 Messages

Tue, Jan 5, 2016 3:00 PM

Static IPs not working with new Business Internet service?

We have a 5 static IP block associated with our new Comcast Business Internet service.    Currently, our Comcast modem is in bridge mode because we are providing our own firewall to sit behind the modem.


When I configured a static IP in our assigned IP range to the firewall's external facing interface and plugged that into the first port on the Comcast modem, attempts to ping our assigned gateway address were rejected.  However, when I set the external interface to DHCP, the device was able to receive an IP address from the Comcast network.   


My questions are:


a) Is connecting to the modem using DHCP, when you've been assigned static IP range, supposed to be possible like this?

b) What are the common troubleshooting methods to use, when attempts to connect to the Comcast network using a Comcast assigned static IP aren't working?


Forum Contributor


306 Messages

5 y ago

a) Is connecting to the modem using DHCP, when you've been assigned static IP range, supposed to be possible like this?




The ONLY WAY that a static IP block of 5 IP addresses can be used is the following:




Step #2:  Number the public IPs as follows:











where GW = LAN interface of the rented Comcast modem.


Sorry!  This has got to be the suckiest thing about the service there is.


Your "handoff" from them is the ethernet port of their modem, and no, you cannot get a /28 and subnet that either, their modem won't support it.


They assume anyone who needs a static IP will rent their modem.  The reason why is because of how they have configured their core routers.


For many ISPs they configure their cores with a list of static IP subnets and use DHCP to assign a reserved IP to the end user.  Then the end user always gets the same public IP number and there's a static route at the next hop router that points to that public number.


With Comcast their core routers speak BGP amongst themselves, and RIP to the remote cable modems that have static IP subnets in them.  For remotes that do not have static IP, they don't use RIP they just use DHCP and you get whatever the number 'o the day is.  For remotes that do have static IPs in them, those cable modems advertise that route back to the core routers.


The advantage of doing it this way is that if a remote goess offline, it's route in their core dissappears so Comcast is not paying to pass traffic that will just go into the bit bucket.


The disadvantage is that unless you secure the remotes, you are going to get jerk-offs who think it's amusing to advertise routes like back to their local core router and knock it offline.


And you cannot secure the remotes if you don't have legal possession of them.  To get this you make the subscriber rent the modem.


This is not to say that it would be impossible to put a Comcast cable modem into a monitored network and then obtain the password of the day, and login to the Comcast cable modem as a root administrator and do this.


However, the intelligence and knowledge to know how to do this is sufficiently high that the people who DO have the ability to do it either all work for Comcast or they have better uses of their time than trying to knock off one of Comcast's cores.


Trusted Forum Contributor


1.4K Messages

5 y ago

Hello hellotech-it and welcome,


First, you must NOT have your Comcast Gateway (CG) in True Bridge Mode (TBM), especially if you are using a 5 block static IP Address block.  This is due to when the CG is in TBM this disables ALL DHCP LAN, Static IP, NAT, DMZ, and all other routing. Second, if you are using a static IP in your firewall device, then you MUST make sure that you are programming your firewall device WAN with one routable static IP, the gateway static IP and the subnet static IP ( addresses minimum. It is always good practice to added your primary DNS = and secondary DNS


If your CG is a DPC39XXB device and you want to use its private and/or public WIFI then enabling the CG DHCP is a viable option. Standard troubleshooting procedures are as follows:


1. Make sure the DPC39XXB CG is NOT in TBM


2. Make absolutely sure the firewall device WAN interface is accurately programmed with the correct static IP routable, gateway, and subnet mask addresses. These 3 parameters are mandatory.


3. Make sure that the Ethernet network cable plugged into the FW WAN/Internet Port abnd the other end connected into any CG Lan Port 1-4  interconnect. Make sure the LanPort LED is either flasing or solid  green (1 Gbps) or amber (10-100 Mbps). If the LED is not lite up then replace ethernet cable and try again.


4. jump onto the internet and first confirm you can ping to the static IP gateway address and this means that the CG is on line and operational. If this is not opertional, call 800-391-3000, use high speed internet technical option abnd ask the technical agent to log into you CG and confirm that your static gateway IP address has been correctly programmed into your CG.


5. After you can obtain replies from your static IP gateway address confirming the CG is operational, then ping your static IP routable address that you used within the firewall device WAN interface. If you do not receive ping replies, check the led on the WAN port connector to make sure it is lite up. Also check your exact programming of the static IP routable, gateway, subnet mask, PriDNS abnd SecDNS addresses.


6. If you can receive replies from both the CG and Firewall device, then try to access the internet from your firewall device WAN interface. If you can then you are now up and running.


Hope this helps you out.




4 Messages

5 y ago

This appears to be the root issue.   I believe the modem is in true bridge mode at present.


How would I take the modem back out of true bridge mode, in order to get my public static IPs to route properly?