I'm experienceing a routing issue with my Comcast Business Class service.
My gateway is running in bridge mode, the external interface of my firwall has a publicly accessible IP address (assigned via DHCP). I have confirmed this by connecting to the firewall from another site.
I also have a static IP address block assigned; however, that address block does not appear to be properly routed to my firewall. I've watched the external interface (connected to the modem with a DHCP assigned address which is supposed to be configured as the route for my IP block by comcast); however, no traffic ever appears on th external interface of my firewall destined for any of the ip addresses in my assigned block.
Has anyone else experienced this issue and can offer suggestions on what else I should be trying?
Hello Tsmidwest and welcome,
If your Comcast Gateway (CG) is running in "True Bridge Mode" and you have a Comcast Static IP Block (CSIPB) , then this will not work due to all your CG routing is disabled.
It is neccessary for you to put your CG back into it's normal router mode but disable the CG DHCP Server, which is usually referred to as "Psuedo Bridge Mode". This is only done if your FireWall (FW) device is using its inherent DHCP Server for your Intra-network.
So lastly for this inter-networking to work correctly, it is also neccessary for your CSIPB gateway, sub-net mask, PriDNS, SecDNS addresses to be configured into your CG WAN interface by a technical agent at 8003913000.
Hope this helps you out.
tsmidwest - to put it simply if you have a BLOCK of static IP's from Comcast, you cannot use your own firewall as a router, you must use their cable modem as the router. Yes it stinks.
if you have a BLOCK of static IP's from Comcast, you cannot use your own firewall as a router, you must use their cable modem as the router.
Technically incorrect. You can of course use your own firewall/router device with a Comcast static IP; its first hop, however, must be a Comcast-supplied gateway. At that point, the Comcast gateway becomes a basic packet forwarder, having no need to perform NAT.
A router routes between subnets, a network address translator rewrites the packet header (and parts of the payload) it is technically not a router. A router allows for subnetting a translator does not.
You cannot setup a router behind a Comcast static IP block. You can setup a network address translator, but not a router. Unfortunately the general public uses the term "router" to indicate a translator, but that is incorrect.
For example, if Comcast allowed for router use, you could obtain a /28 from Comcast, subnet it into 2 /29's, use one of them on the network between the Comcast gateway and your internal router, and the other /29 could be used somewhere else in your network - even on the other end of a tunnel. But that isn't permitted because the end user cannot install routes into the business gateway or change the mask used on the business gateway interface.
Thus, all you can do is put a NAT device inside.