Skip to content
Skip to main content

  • Home

skymeat's profile
skymeat
1st Reply
Rousing Reactor
Expressive Exchange

New problem solver

 • 

39 Messages

Saturday, July 11th, 2015 5:00 PM

Bridge mode

I need to get into a true bridge mode. I have a /30. I've spent an hour on the phone trying to get it done so far.

Question

 • 

Updated 

9 years ago

35.2K

17

0

0

Accepted Solution

train_wreck

Gold Problem solver

 • 

610 Messages

9 years ago

@skymeat wrote:
Can you explain technically why it's not available with a static?

Yeah, bridge mode disables all routing capabilities of the gateway and essentially turns it into a regular retail cable modem. Comcast uses specific routing technologies to allow customer-assigned static IPs onto their network, and bridge mode disables these technologies.

 

If your gateway has been provisioned properly with your static IP, you should be able to configure any of your own devices with your static IP information and just plug it into the gateway's ethernet ports. The gateway will allow all traffic to/from static IP devices. Make sure that the gateway's firewall settings (available at http://10.1.10.1 ) are configured to "Allow all traffic through" - this should be a checkbox on one of the configuration pages.

 

The gateway is your ethernet handoff, in essence.

0

Accepted Solution

cekim

Visitor

 • 

2 Messages

9 years ago

Not sure if this will help anyone else, but this is the sort of search I was doing before starting:

 

multiple (5) static IPs, QoS router behind Cisco modem and NOT in bridge mode.

 

For those that haven't figured it out, they have set the modem up to pass the public/static IPs through to the LAN side, so if you have a device that answers to your static IPs on the LAN side, the comcast modem will pass the traffic to it (out of the box, as configured during install).

 

That is, you assign the provided public IP/NETMASK/DNS to either a computer or a route in another router on the LAN side of the comcast modem and it will make it appear as if it is directly connected to the internet.

 

You can either filter the ports in the comcast modem, or disable the firewall and pass everything to those IPs.

 

In my case, I clamped down the comcast firewall as tight as possible, defaulting to block, passing only those ports I need for services I provide.  This is redundant as the QoS router also blocks all but those ports served, but the sooner I stop bad traffic the better as far as I am concerned.

 

So, the comcast router passes my 5 static IPs to an internal router (Netgear proSafe) that is itself in NAT mode.  It maps WAN->LAN by treating the Comcast (Cisco) LAN side as "the internet".  So, I have NAT rules for each open port:

 

PORT, PUBLIC_STATIC_IP, INTERNAL_IP, QoS_RULE

 

This allows me to prioritize various types of traffic as needed (an throttle nuissance, but reuired traffic).  It does make some bold assumptions about how the comcast modem is responding to the internal router stalling it, but so far it seems to behave itself (i.e. not lock up and do nothing on other ports while waiting for a throttled port). 

 

Using this method you can also have DHCP clients that are NOT behind the QOS router (i.e. connected to the comcast LAN side in parallel with the internal router), but that just complciates things and potentially removes the benfit of QoS.

 

Hope that helps, it would have helped me understand what I was doing last week getting setup.  It is odd that comcast has such a sizeable hunk of hardware without even crude QoS.  Seems like a huge oversight.

0

0

skymeat

New problem solver

 • 

39 Messages

9 years ago

I'm running a few services, that's why I have the static ip. I am in pass through now.

Can you explain technically why it's not available with a static?

0

0

skymeat

New problem solver

 • 

39 Messages

9 years ago

Also.. I'm a newbee with comcast. I usually get an ethernet handoff and just address my router accordingly.

0

0

train_wreck

Gold Problem solver

 • 

610 Messages

9 years ago

Bridge mode is not available if the gateway is provisioned with any static IPs.

 

May I ask why you need bridge mode?

0

0

skymeat

New problem solver

 • 

39 Messages

9 years ago

Cool. I'll accept this as a solution as soon as I set up VPN tomorrow.

0

0

skymeat

New problem solver

 • 

39 Messages

9 years ago

Works for me. Seems like a weird setup on the provider side though.

0

0

skymeat

New problem solver

 • 

39 Messages

9 years ago

Wow. Md5 Auth if I remember right.

0

0

skymeat

New problem solver

 • 

39 Messages

9 years ago

The only device connected directly to the modem is an ASA. So disabling the firewall is no biggie. But I'll keep it in mind if I want another DMZ hanging out there.

0

0

train_wreck

Gold Problem solver

 • 

610 Messages

9 years ago

@skymeat wrote:
Seems like a weird setup on the provider side though.

Yeah, from my understanding the Comcast gateways use RIPv2 to announce to the cable head-end which gateway has which static IP block, so the customer only has to worry about configuring basic IP info. I imagine it's done this way for some security purposes, to prevent people from accidentally (or maliciously) announcing their own devices for IPs that aren't theirs.

0

0

VBSSP-RICH

Advocate

 • 

1.4K Messages

9 years ago

Hello skymeat and welcome,

 

Yes, train_wreck is right on about the setup and utilzation of your staticIP implementation. Just to add to this,  if you are setting up your VPN then it is necessary that you use this guide  to make absolutely sure that your VPN is structured correctly and all required ports are open on the static IP device at both locations.  

 

Unlike train_wreck's recommendation about making sure all true static IP ports are open using the FW radio button, I submit to you that the more higher static IP device security means is to disable (uncheck) this feature, then use either FW or Advanced Port Forwarding "true static IP port management" facility to open ONLY the ports that your static IP device require.

 

This can easily be performed by first selecting the "block all ports with the following exceptions", then for example, if you are using RRAS based VPN server behind a firewall for PPTP ports 1723 and 47 must be open, per the guide I referenced. So therefore, within the the add true static IP port management you would click Add button and enter something like this:

    PPTP1723Port 1723 1723 both Routable.Static.IP.Address and  PPTP47Port 47 47 both Routable.Static.IP.Address

 

Hope this helps you out.

0

0

train_wreck

Gold Problem solver

 • 

610 Messages

9 years ago

@skymeat wrote:
Wow. Md5 Auth if I remember right.

Yeah it's an old protocol, but I believe Comcast also blocks outgoing RIP from the customer side of all modems, so I think it would be somewhat difficult for customers to get in the middle of. Keep in mind this is just my best estimate from things I've read, I don't have direct knowledge of exactly how Comcast operates its DOCSIS network.

 

See http://businesshelp.comcast.com/help-and-support/internet/ports-blocked-on-comcast-network/

0

train_wreck

Gold Problem solver

 • 

610 Messages

9 years ago

@VBSSP-RICH wrote:

Actually, train_wreck the static IP RIP2 protocol is used to authenticate the customer's static IP block between the CMTS and the CRAN server.  

Ah ok, i could have sworn i saw RIP settings in a screenshot of the admin screens of one of the gateways..... thanks for the correction

0

0

VBSSP-RICH

Advocate

 • 

1.4K Messages

9 years ago

Actually, train_wreck the static IP RIP2 protocol is used to authenticate the customer's static IP block between the CMTS and the CRAN server.  

0

skymeat

New problem solver

 • 

39 Messages

9 years ago

Can you comment on why you're using ripv2? You've got to redistribute that to bgp at some point, so why not take it to the customer's edge? Then I could just peer my internal as to the staric.

0

0