Equipment (Modems,Gateways)
Modems, Gateways, and Networking Devices
Male IT Specialist Holds Laptop and Discusses Work with Female Server Technician. They're Standing in Data Center, Rack Server Cabinet is Open.
Highlighted
skymeat
Frequent Contributor

Bridge mode

I need to get into a true bridge mode. I have a /30. I've spent an hour on the phone trying to get it done so far.
Tags (1)
0 Kudos
17 REPLIES 17
Trusted Forum Contributor

Re: Bridge mode

Bridge mode is not available if the gateway is provisioned with any static IPs.

 

May I ask why you need bridge mode?

0 Kudos
skymeat
Frequent Contributor

Re: Bridge mode

I'm running a few services, that's why I have the static ip. I am in pass through now.

Can you explain technically why it's not available with a static?
0 Kudos
skymeat
Frequent Contributor

Re: Bridge mode

Also.. I'm a newbee with comcast. I usually get an ethernet handoff and just address my router accordingly.
0 Kudos
Trusted Forum Contributor

Re: Bridge mode


@skymeat wrote:
Can you explain technically why it's not available with a static?

Yeah, bridge mode disables all routing capabilities of the gateway and essentially turns it into a regular retail cable modem. Comcast uses specific routing technologies to allow customer-assigned static IPs onto their network, and bridge mode disables these technologies.

 

If your gateway has been provisioned properly with your static IP, you should be able to configure any of your own devices with your static IP information and just plug it into the gateway's ethernet ports. The gateway will allow all traffic to/from static IP devices. Make sure that the gateway's firewall settings (available at http://10.1.10.1 ) are configured to "Allow all traffic through" - this should be a checkbox on one of the configuration pages.

 

The gateway is your ethernet handoff, in essence.

skymeat
Frequent Contributor

Re: Bridge mode

Cool. I'll accept this as a solution as soon as I set up VPN tomorrow.
0 Kudos
skymeat
Frequent Contributor

Re: Bridge mode

Works for me. Seems like a weird setup on the provider side though.
0 Kudos
Trusted Forum Contributor

Re: Bridge mode

Hello skymeat and welcome,

 

Yes, train_wreck is right on about the setup and utilzation of your staticIP implementation. Just to add to this,  if you are setting up your VPN then it is necessary that you use this guide  to make absolutely sure that your VPN is structured correctly and all required ports are open on the static IP device at both locations.  

 

Unlike train_wreck's recommendation about making sure all true static IP ports are open using the FW radio button, I submit to you that the more higher static IP device security means is to disable (uncheck) this feature, then use either FW or Advanced Port Forwarding "true static IP port management" facility to open ONLY the ports that your static IP device require.

 

This can easily be performed by first selecting the "block all ports with the following exceptions", then for example, if you are using RRAS based VPN server behind a firewall for PPTP ports 1723 and 47 must be open, per the guide I referenced. So therefore, within the the add true static IP port management you would click Add button and enter something like this:

    PPTP1723Port 1723 1723 both Routable.Static.IP.Address and  PPTP47Port 47 47 both Routable.Static.IP.Address

 

Hope this helps you out.

0 Kudos
skymeat
Frequent Contributor

Re: Bridge mode

The only device connected directly to the modem is an ASA. So disabling the firewall is no biggie. But I'll keep it in mind if I want another DMZ hanging out there.
0 Kudos
Trusted Forum Contributor

Re: Bridge mode


@skymeat wrote:
Seems like a weird setup on the provider side though.

Yeah, from my understanding the Comcast gateways use RIPv2 to announce to the cable head-end which gateway has which static IP block, so the customer only has to worry about configuring basic IP info. I imagine it's done this way for some security purposes, to prevent people from accidentally (or maliciously) announcing their own devices for IPs that aren't theirs.

0 Kudos
skymeat
Frequent Contributor

Re: Bridge mode

Wow. Md5 Auth if I remember right.
0 Kudos
Trusted Forum Contributor

Re: Bridge mode


@skymeat wrote:
Wow. Md5 Auth if I remember right.

Yeah it's an old protocol, but I believe Comcast also blocks outgoing RIP from the customer side of all modems, so I think it would be somewhat difficult for customers to get in the middle of. Keep in mind this is just my best estimate from things I've read, I don't have direct knowledge of exactly how Comcast operates its DOCSIS network.

 

See http://businesshelp.comcast.com/help-and-support/internet/ports-blocked-on-comcast-network/

Trusted Forum Contributor

Re: Bridge mode

Actually, train_wreck the static IP RIP2 protocol is used to authenticate the customer's static IP block between the CMTS and the CRAN server.  

skymeat
Frequent Contributor

Re: Bridge mode

Can you comment on why you're using ripv2? You've got to redistribute that to bgp at some point, so why not take it to the customer's edge? Then I could just peer my internal as to the staric.
0 Kudos
Trusted Forum Contributor

Re: Bridge mode


@VBSSP-RICH wrote:

Actually, train_wreck the static IP RIP2 protocol is used to authenticate the customer's static IP block between the CMTS and the CRAN server.  


Ah ok, i could have sworn i saw RIP settings in a screenshot of the admin screens of one of the gateways..... thanks for the correction

0 Kudos
EnzoD
New Member

Re: Bridge mode

Hey folks. want make sure i understand this correctly, b/c quite honselty this seems odd design-wise.

 

I have a singel static IP.  My thoughts were that i put the Cisco GW in bridge mode, assign the static IP to the external interface of my own FW, and i'm done.  This didnt seem to work. i as getting public IPs in the 75.x.x.x range assigned to any device i plugged into the Cisco GW.

 

Here's what i want:    Internet ---<>Comcast Cisco GW<>--ASA5505<>--Rest of my network.  Really want the Comcast GW to function as a cable modem, and would like my static IP and all my logice running on my ASA5505.

 

To get the above to work, am i hearing that i need to put the Cisco GW in route mode, but turn off all firewalling, etc? 

But then i'd need the outside int of my ASA to be an RFC1918 address?


THanks

Tags (1)
0 Kudos
cekim
Visitor

Re: Bridge mode

Not sure if this will help anyone else, but this is the sort of search I was doing before starting:

 

multiple (5) static IPs, QoS router behind Cisco modem and NOT in bridge mode.

 

For those that haven't figured it out, they have set the modem up to pass the public/static IPs through to the LAN side, so if you have a device that answers to your static IPs on the LAN side, the comcast modem will pass the traffic to it (out of the box, as configured during install).

 

That is, you assign the provided public IP/NETMASK/DNS to either a computer or a route in another router on the LAN side of the comcast modem and it will make it appear as if it is directly connected to the internet.

 

You can either filter the ports in the comcast modem, or disable the firewall and pass everything to those IPs.

 

In my case, I clamped down the comcast firewall as tight as possible, defaulting to block, passing only those ports I need for services I provide.  This is redundant as the QoS router also blocks all but those ports served, but the sooner I stop bad traffic the better as far as I am concerned.

 

So, the comcast router passes my 5 static IPs to an internal router (Netgear proSafe) that is itself in NAT mode.  It maps WAN->LAN by treating the Comcast (Cisco) LAN side as "the internet".  So, I have NAT rules for each open port:

 

PORT, PUBLIC_STATIC_IP, INTERNAL_IP, QoS_RULE

 

This allows me to prioritize various types of traffic as needed (an throttle nuissance, but reuired traffic).  It does make some bold assumptions about how the comcast modem is responding to the internal router stalling it, but so far it seems to behave itself (i.e. not lock up and do nothing on other ports while waiting for a throttled port). 

 

Using this method you can also have DHCP clients that are NOT behind the QOS router (i.e. connected to the comcast LAN side in parallel with the internal router), but that just complciates things and potentially removes the benfit of QoS.

 

Hope that helps, it would have helped me understand what I was doing last week getting setup.  It is odd that comcast has such a sizeable hunk of hardware without even crude QoS.  Seems like a huge oversight.

0 Kudos
EnzoD
New Member

Re: Bridge mode

thanks Cekim for sharing the info.  This will definitely given me enough information to setup what i need...although I'm still pretty perplexed by Comcasts use of bridging Smiley Wink

 

All I really wanted was a dumb cable modem and the abiliyt to put a static IP(the one they gave me) on the outside of my ASA. Smiley Happy

 

thanks again for the help.  

0 Kudos