Skip to content
rukarin's profile

New Member

 • 

2 Messages

Saturday, February 1st, 2014 3:00 PM

SMC business class gateway in bridge mode with Static IPs

Hi,

 

I am trying to use the firewall, VPN, VLAN etc. features on a Cisco 881 router instead of those provided on my SMC business class gateway.

 

However, I am confused as to how to proceed with this while routing my public static IPs (I am paying for 5 from Cocmast) to devices behind my Cisco 881 router's NAT. I am no expert at this, but it seems that I cannot put my SMC gateway in complete bridge mode (i.e. disable its NAT) since it would not be able to route the public static IPs.

 

Can someone please confirm to me the appropriate approach and the pros/cons?

 

Thanks

Accepted Solution

New Member

 • 

2 Messages

11 years ago

I have the same setup, SMC and /29 static IPs and I'm running my own firewall box inside.

 

The key is that to use the static IPs you do NOT run in bridged mode. You will assign IPs statically to any equipment which plugs directly into the SMC. The last IP in the group of ips they gave you is your gateway(the individual IPs in the group are consectutive)

 

Also, in the modem, Firewall tab check the box for :

  • Disable Firewall for True Static IP Subnet Only
  • Disabled Gateway Smart Packet Detection

 

While still on the Firewall section, select the "Port Configuration" tab:

Now, one at a time click all the links for

  •     Port Forwarding
  •     Port Triggering
  •     Port Blocking
  •     True Static IP Port Management

and check the box on the subsequent pages to disable each of those features. I'm not sure if this part is necessary after having checked the "Disable Firewall for True Static IP Subnet Only" above (but it won't hurt and that's how mine is running)

 

Basically you want the modem operating "dumb" with everything passing through to your firewall. This is the routed "equivalent" of bridged mode where everything gets through.

 

On your firewall, it's WAN port will need to be configured with a static IP and the proper mask and gateway. To do this you need to somewhat understand the addresses you were given. I'll explain it "somewhat" here.

 

I'm not sure if they gave you only 5 groups of 4 number or more technical notation with /29 and subnet masks etc. so just bear with me here while I explain it with generic addresses and you should be able to substitue the 5 they gave you and see the pattern

 

Assume you were assigned the following IPs

 

   10.1.1.65

   10.1.1.66

   10.1.1.67

   10.1.1.68

   10.1.1.69

   10.1.1.70

 

This is really the 10.1.1.64/29 subnet which has 8 ip addresses (.64-.71) but  the first and the last (.64, .71)are special and are used by the IP protocol, leaving you with only 6 addresses BUT, the modem will take one for itself (which is your "gateway" which you will assign as the Default Gateway in your firewall).

 

The modem will already/automatically have the 10.1.1.70 IP address in the above example assigned to itself. I'm not sure of the mechanics of this inside Comcast but I believe this is all provisioned when things are installed. Either by the install tech or someone at headend. At any rate you cant' get access to assign that 10.1.1.70 to the modem anyway so it's either already done, happens automatically or you will have to call them. You can check and see if the IP is assigned by looking in the modems  Gateway Summary, Network page at the two WAN DHCP IPs, one should be the highest(usable) of the group you were assigned.

 

So to pick one of the 5 ips for the firewall you could assign 10.1.1.69/29 with a gateway of 10.1.1.70 or in other terms:

 

     IP Address: 10.1.1.69

   Network Mask: 255.255.255.248

Default Gateway: 10.1.1.70

 

 Now, you can't use 10.1.1.x, but the 5 they gave you should fit the pattern of the 10.1.1.1 stuff I just laid out, so substitute the IPs you were given and go for it!

 

The lan/inside interface on your firewall would be configured with a Private subnet like 192.168.100.1 etc.

 

I dont think you'll have trouble after you get the modem and WAN IP/Default Gateway of the firewall configured. It's just a matter of knowing to use True Static IP setting, no NAT/PortForwading/DMZ, modem has the highest IP in the group you were given and that's IP is also your gateway..... simple right? 😉

 

good luck

 

 

On another note, to see the Admin page of the modem you can simply connect a laptop or desktop to the modem and set the computer for DHCP. The modem ALSO gives out a private range like 192.168.0.X and will NAT traffic out to the internet, plus you can view the Admin page..

 

I'm not sure what the default ip of the modem is and mine has been altered, so you'll have to look at the manual. But once you get to the Gateway Summary, Network tab you should see the WAN DHCP stuff which will show your Static IP Block and the IP that is from the block assigned to you as a DHCP WAN IP

Accepted Solution

Visitor

 • 

5 Messages

11 years ago

I'm having a problem port forwarding telnet to my server.

As in your post, I have disabled everything. I use a FVS318N Netgear router, the 318 is connected to a switch with my network on it including the server ( 192.168.1.xx  static ). The FVS318 has my Comcast static IP configured in the wan settings ( I only have one ) On the 318 i have an inbound rule to port forward telnet port 23 to the server ( 192.168.1.xx ). I can ping the static IP but cannot get thru on any port.

New Member

 • 

2 Messages

11 years ago

> gregw

 

Oh wow, great answer! The step-by-step instructions taught me a thing or two and the problem is solved.

 

Is there any discernible benefit from using a separate Cisco router/firewall instead of the one on the SMC gateway, besides the additional features (e.g. IOS, VPN, VLAN)?

Visitor

 • 

5 Messages

11 years ago

As a note. I have the 318 handing out DHCP, not the Comcast modem.

New Member

 • 

1 Message

11 years ago

This may or may not be useful. In the old days, when Biz class internet came on the SMC or the recently retired Netgear, as long as you chose true static IP subnet only, everything routed though.


We just signed up for a new biz class service, and we got a new fugly Cisco/Linksys all in one box. Wish I had the model number in front of me.

Anyways, we could ping the router assigned IP address, but despite having our public IPs properly assigned to servers and our firewall, with correct access, they were not pingable. We double checked our configuration, double checked that true IP subnet was checked, power cycled, etc.

It took a call and escalation to Tier 2, but apparently there is something else that blocks inbound traffic on the network side. It took a call in to get inbound ssh, https, etc to those public IPs.


This may or may not help your situation, but it was a big speed bump for us on the new Linksys router.

New Contributor

 • 

15 Messages

10 years ago

I am not sure if I misread your post, which was excellent by the way, but if I understood it correctly you configured the WAN port of your firewall to connect to the Comcast router. Why did you use the WAN port and not the Outside port?  Again, great post.

Administrator

 • 

1.5K Messages

10 years ago

tgoyette,

 

Thank you for bringing this post by ramasan to our notice.

We appreciate ramasan's input and your comments on it.

 

Thank you!