New problem solver
•
9 Messages
Static IPs and Router Setup
I have a /29 block of addresses. I'd like to pass two public IPs to two different machines on my LAN. To accomplish this, I need to :
1. setup 1-1 NAT assigning Public IP to the local IP for each machine
2. use True Status IP Port Management, as opposed to Port Forwarding, to map the incoming traffic to the correct port
Can anyone tell me if I have this right? If so, are there any other concerns or gotchas that I should be aware of?
Thanks in advance.
Jeff
VBSSP-RICH
Advocate
•
1.4K Messages
9 years ago
Hello JeffreyWest and welcome,
Please see my comments below. Thanks.
I have a /29 block of addresses. I'd like to pass two public IPs to two different machines on my LAN. To accomplish this, I need to :
So you have a 5 block static IP address so you can certainly use the True Static IP Port Management (TSIPM) to open any specific Routable Static IP Device(s) port(s).
1. setup 1-1 NAT assigning Public IP to the local IP for each machine
Yes, you can use 1-1 Static NAT to enable any specific internal Comcast Gateway DHCP Server 10.1.10.XXX device to valid external IP address(es)
2. use True Status IP Port Management, as opposed to Port Forwarding, to map the incoming traffic to the correct port
Yes, the standard port forward is primarily used to open ports for any internal Comcast Gateway DHCP Server 10.1.10.XXX device, where the TSIPM is used specific for opening Routable Static IP Device(s) port(s).
Hope this helps you out.
0
0
derekc
Occasional Visitor
•
7 Messages
9 years ago
I have the exact situation (except my LAN is 192.168.0.x) and I have read this half a dozen times. The ports that I want to control seem to be OPEN no matter what.
Let me explain.
I have a /29 block. I have a SMCD3G-CCR:
Here are the "default" settings related to firewall:
Before I create any rules in TSIPM, there should not be any ports opened to my servers inside the LAN, right?
Why is MXTOOLBOX.COM able to see the SMTP port of one of my servers?
Before I have the SMC gateway, I was given a Cisco 3939. It had the same problem. Everytime I called Comcast biz class tech support, they said they don't deal with "customer premises equipment" and kicked me away.
Am I the only one experiencing this? Or the router user interfaces just too confusing for just me? I think I know networking. I had my Cisco CCNP and Checkpoint Firewall certifications a decade ago and worked at a Internet backbone provider. I think I know what IP addressing is.
So many people simply switch their business class gateway to "pseudo bridge mode" and add their own router behind it. Is it because they all experience the same and have given up? Comcast charge us for equipment that don't work and refuse to provide service (because they know they would not solve our problem)? And they don't allow us to use our own equipment?
If you switch the gatway to pseudo bridge mode, what router behind it do you use to allow multiple WAN IP addresses on the WAN interface? I am getting a Sonicwall TZ 105. Anyone has luck with it?
If the above problem is solved and f I want to use one of the statis IPs to access multiple IP cameras (Port Address Translation - forwarding incoming traffic to the Static IP at port 8001 to 192.168.0.101:80, port 8002 to 192.168.0.102:80, etc).. would it work well with the 1:1 NAT if possible at all?
0
0
VBSSP-RICH
Advocate
•
1.4K Messages
9 years ago
Okay derekc, please see my comments below. Thanks
I have the exact situation (except my LAN is 192.168.0.x) and I have read this half a dozen times. The ports that I want to control seem to be OPEN no matter what.
Let me explain.
I have a /29 block. I have a SMCD3G-CCR:
Here are the "default" settings related to firewall:
Before I create any rules in TSIPM, there should not be any ports opened to my servers inside the LAN, right?
Why is MXTOOLBOX.COM able to see the SMTP port of one of my servers?
Not sure what you expect for data processing by disabling ALL ports on ALL your static IP routable devices?! You need to consider using the using the True Static IP Port Management.Block All Ports With the following Exceptions, then add ONLY the ports of whatever the applications you are needing open on each individual routable static IP device (such as 50.XXX.43.90/91/92.93). The way you have it currently configured all routable static IP device(s) ports are ALL blocked , therefore, no incoming data processing activity whatsoever. So even your NATTing outgoing can process data but no incoming to your routable servers until you open the exact application ports on each of the routable static IP devices.
Before I have the SMC gateway, I was given a Cisco 3939. It had the same problem. Everytime I called Comcast biz class tech support, they said they don't deal with "customer premises equipment" and kicked me away.
Am I the only one experiencing this? Or the router user interfaces just too confusing for just me? I think I know networking. I had my Cisco CCNP and Checkpoint Firewall certifications a decade ago and worked at a Internet backbone provider. I think I know what IP addressing is.
Very impressive credentials and background.
So many people simply switch their business class gateway to "pseudo bridge mode" and add their own router behind it. Is it because they all experience the same and have given up? Comcast charge us for equipment that don't work and refuse to provide service (because they know they would not solve our problem)? And they don't allow us to use our own equipment?
Comcast allows all customers to use whatever equipment is required for their business requirements. Psuedo Bridge Mode (i.e. disabling the Comcast Gateway (CG) internal DHCP Server) is good networking practice to avoid any other devices internal DHCP Server coflicts causing inadvertent packet loss. Imho, Comcast provides exceptional service both technical and business on the equipment they provide to customers. However, not all Comcast technical agents have your Cisco CCNP & Checkpoint Firewall certification qualifications, but some do.
If you switch the gatway to pseudo bridge mode, what router behind it do you use to allow multiple WAN IP addresses on the WAN interface? I am getting a Sonicwall TZ 105. Anyone has luck with it?
If you are referring to "True Bridge Mode (TBM) " and turning the CG into a dumb modem with no routing except to pass WAN addresses to the Firewall, Controlling Router, etc., you must first get rid of your static IP's to implement this networking strategy. When any Industry Standard Gateway is put in TBM then ALL routing is disabled, again, with the only exception of passing the WAN DHCP address to a controlling, security, etc. device, as you know.
If the above problem is solved and f I want to use one of the statis IPs to access multiple IP cameras (Port Address Translation - forwarding incoming traffic to the Static IP at port 8001 to 192.168.0.101:80, port 8002 to 192.168.0.102:80, etc).. would it work well with the 1:1 NAT if possible at all?
I would like to advise you that I have worked with MANY Comcast business customers who have simply used 1 static IP routable address programmed on their DVR Server WAN network interface, physically ethernet interconnected to any CG LanPort, use exactly the current configuration you posted above and just simply insure that port 80 and 8002 is open on the routable static IP DVR server device and it is a done deal. If you are using an http://DVR-Server-Website-URL:8002, for example, this will work perfectly fine.
Hope this helps you out......
0
0
derekc
Occasional Visitor
•
7 Messages
9 years ago
0
0