Equipment (Modems,Gateways)
Modems, Gateways, and Networking Devices
Back to Top

SMC business class gateway in bridge mode with Static IPs

SOLVED
rukarin
New Member

SMC business class gateway in bridge mode with Static IPs

Hi,

 

I am trying to use the firewall, VPN, VLAN etc. features on a Cisco 881 router instead of those provided on my SMC business class gateway.

 

However, I am confused as to how to proceed with this while routing my public static IPs (I am paying for 5 from Cocmast) to devices behind my Cisco 881 router's NAT. I am no expert at this, but it seems that I cannot put my SMC gateway in complete bridge mode (i.e. disable its NAT) since it would not be able to route the public static IPs.

 

Can someone please confirm to me the appropriate approach and the pros/cons?

 

Thanks

Accepted Solution

Re: SMC business class gateway in bridge mode with Static IPs

I have the same setup, SMC and /29 static IPs and I'm running my own firewall box inside.

 

The key is that to use the static IPs you do NOT run in bridged mode. You will assign IPs statically to any equipment which plugs directly into the SMC. The last IP in the group of ips they gave you is your gateway(the individual IPs in the group are consectutive)

 

Also, in the modem, Firewall tab check the box for :

  • Disable Firewall for True Static IP Subnet Only
  • Disabled Gateway Smart Packet Detection

 

While still on the Firewall section, select the "Port Configuration" tab:

Now, one at a time click all the links for

  •     Port Forwarding
  •     Port Triggering
  •     Port Blocking
  •     True Static IP Port Management

and check the box on the subsequent pages to disable each of those features. I'm not sure if this part is necessary after having checked the "Disable Firewall for True Static IP Subnet Only" above (but it won't hurt and that's how mine is running)

 

Basically you want the modem operating "dumb" with everything passing through to your firewall. This is the routed "equivalent" of bridged mode where everything gets through.

 

On your firewall, it's WAN port will need to be configured with a static IP and the proper mask and gateway. To do this you need to somewhat understand the addresses you were given. I'll explain it "somewhat" here.

 

I'm not sure if they gave you only 5 groups of 4 number or more technical notation with /29 and subnet masks etc. so just bear with me here while I explain it with generic addresses and you should be able to substitue the 5 they gave you and see the pattern

 

Assume you were assigned the following IPs

 

   10.1.1.65

   10.1.1.66

   10.1.1.67

   10.1.1.68

   10.1.1.69

   10.1.1.70

 

This is really the 10.1.1.64/29 subnet which has 8 ip addresses (.64-.71) but  the first and the last (.64, .71)are special and are used by the IP protocol, leaving you with only 6 addresses BUT, the modem will take one for itself (which is your "gateway" which you will assign as the Default Gateway in your firewall).

 

The modem will already/automatically have the 10.1.1.70 IP address in the above example assigned to itself. I'm not sure of the mechanics of this inside Comcast but I believe this is all provisioned when things are installed. Either by the install tech or someone at headend. At any rate you cant' get access to assign that 10.1.1.70 to the modem anyway so it's either already done, happens automatically or you will have to call them. You can check and see if the IP is assigned by looking in the modems  Gateway Summary, Network page at the two WAN DHCP IPs, one should be the highest(usable) of the group you were assigned.

 

So to pick one of the 5 ips for the firewall you could assign 10.1.1.69/29 with a gateway of 10.1.1.70 or in other terms:

 

     IP Address: 10.1.1.69

   Network Mask: 255.255.255.248

Default Gateway: 10.1.1.70

 

 Now, you can't use 10.1.1.x, but the 5 they gave you should fit the pattern of the 10.1.1.1 stuff I just laid out, so substitute the IPs you were given and go for it!

 

The lan/inside interface on your firewall would be configured with a Private subnet like 192.168.100.1 etc.

 

I dont think you'll have trouble after you get the modem and WAN IP/Default Gateway of the firewall configured. It's just a matter of knowing to use True Static IP setting, no NAT/PortForwading/DMZ, modem has the highest IP in the group you were given and that's IP is also your gateway..... simple right? Smiley Wink

 

good luck

 

 

On another note, to see the Admin page of the modem you can simply connect a laptop or desktop to the modem and set the computer for DHCP. The modem ALSO gives out a private range like 192.168.0.X and will NAT traffic out to the internet, plus you can view the Admin page..

 

I'm not sure what the default ip of the modem is and mine has been altered, so you'll have to look at the manual. But once you get to the Gateway Summary, Network tab you should see the WAN DHCP stuff which will show your Static IP Block and the IP that is from the block assigned to you as a DHCP WAN IP

View solution in context
Accepted Solution

Re: SMC business class gateway in bridge mode with Static IPs

I'm having a problem port forwarding telnet to my server.

As in your post, I have disabled everything. I use a FVS318N Netgear router, the 318 is connected to a switch with my network on it including the server ( 192.168.1.xx  static ). The FVS318 has my Comcast static IP configured in the wan settings ( I only have one ) On the 318 i have an inbound rule to port forward telnet port 23 to the server ( 192.168.1.xx ). I can ping the static IP but cannot get thru on any port.

View solution in context
gregw
New Member

Re: SMC business class gateway in bridge mode with Static IPs

I have the same setup, SMC and /29 static IPs and I'm running my own firewall box inside.

 

The key is that to use the static IPs you do NOT run in bridged mode. You will assign IPs statically to any equipment which plugs directly into the SMC. The last IP in the group of ips they gave you is your gateway(the individual IPs in the group are consectutive)

 

Also, in the modem, Firewall tab check the box for :

  • Disable Firewall for True Static IP Subnet Only
  • Disabled Gateway Smart Packet Detection

 

While still on the Firewall section, select the "Port Configuration" tab:

Now, one at a time click all the links for

  •     Port Forwarding
  •     Port Triggering
  •     Port Blocking
  •     True Static IP Port Management

and check the box on the subsequent pages to disable each of those features. I'm not sure if this part is necessary after having checked the "Disable Firewall for True Static IP Subnet Only" above (but it won't hurt and that's how mine is running)

 

Basically you want the modem operating "dumb" with everything passing through to your firewall. This is the routed "equivalent" of bridged mode where everything gets through.

 

On your firewall, it's WAN port will need to be configured with a static IP and the proper mask and gateway. To do this you need to somewhat understand the addresses you were given. I'll explain it "somewhat" here.

 

I'm not sure if they gave you only 5 groups of 4 number or more technical notation with /29 and subnet masks etc. so just bear with me here while I explain it with generic addresses and you should be able to substitue the 5 they gave you and see the pattern

 

Assume you were assigned the following IPs

 

   10.1.1.65

   10.1.1.66

   10.1.1.67

   10.1.1.68

   10.1.1.69

   10.1.1.70

 

This is really the 10.1.1.64/29 subnet which has 8 ip addresses (.64-.71) but  the first and the last (.64, .71)are special and are used by the IP protocol, leaving you with only 6 addresses BUT, the modem will take one for itself (which is your "gateway" which you will assign as the Default Gateway in your firewall).

 

The modem will already/automatically have the 10.1.1.70 IP address in the above example assigned to itself. I'm not sure of the mechanics of this inside Comcast but I believe this is all provisioned when things are installed. Either by the install tech or someone at headend. At any rate you cant' get access to assign that 10.1.1.70 to the modem anyway so it's either already done, happens automatically or you will have to call them. You can check and see if the IP is assigned by looking in the modems  Gateway Summary, Network page at the two WAN DHCP IPs, one should be the highest(usable) of the group you were assigned.

 

So to pick one of the 5 ips for the firewall you could assign 10.1.1.69/29 with a gateway of 10.1.1.70 or in other terms:

 

     IP Address: 10.1.1.69

   Network Mask: 255.255.255.248

Default Gateway: 10.1.1.70

 

 Now, you can't use 10.1.1.x, but the 5 they gave you should fit the pattern of the 10.1.1.1 stuff I just laid out, so substitute the IPs you were given and go for it!

 

The lan/inside interface on your firewall would be configured with a Private subnet like 192.168.100.1 etc.

 

I dont think you'll have trouble after you get the modem and WAN IP/Default Gateway of the firewall configured. It's just a matter of knowing to use True Static IP setting, no NAT/PortForwading/DMZ, modem has the highest IP in the group you were given and that's IP is also your gateway..... simple right? Smiley Wink

 

good luck

 

 

On another note, to see the Admin page of the modem you can simply connect a laptop or desktop to the modem and set the computer for DHCP. The modem ALSO gives out a private range like 192.168.0.X and will NAT traffic out to the internet, plus you can view the Admin page..

 

I'm not sure what the default ip of the modem is and mine has been altered, so you'll have to look at the manual. But once you get to the Gateway Summary, Network tab you should see the WAN DHCP stuff which will show your Static IP Block and the IP that is from the block assigned to you as a DHCP WAN IP

rukarin
New Member

Re: SMC business class gateway in bridge mode with Static IPs

> gregw

 

Oh wow, great answer! The step-by-step instructions taught me a thing or two and the problem is solved.

 

Is there any discernible benefit from using a separate Cisco router/firewall instead of the one on the SMC gateway, besides the additional features (e.g. IOS, VPN, VLAN)?

KenR
Visitor

Re: SMC business class gateway in bridge mode with Static IPs

I'm having a problem port forwarding telnet to my server.

As in your post, I have disabled everything. I use a FVS318N Netgear router, the 318 is connected to a switch with my network on it including the server ( 192.168.1.xx  static ). The FVS318 has my Comcast static IP configured in the wan settings ( I only have one ) On the 318 i have an inbound rule to port forward telnet port 23 to the server ( 192.168.1.xx ). I can ping the static IP but cannot get thru on any port.

KenR
Visitor

Re: SMC business class gateway in bridge mode with Static IPs

As a note. I have the 318 handing out DHCP, not the Comcast modem.

ramasan
New Member

Re: SMC business class gateway in bridge mode with Static IPs

This may or may not be useful. In the old days, when Biz class internet came on the SMC or the recently retired Netgear, as long as you chose true static IP subnet only, everything routed though.


We just signed up for a new biz class service, and we got a new fugly Cisco/Linksys all in one box. Wish I had the model number in front of me.

Anyways, we could ping the router assigned IP address, but despite having our public IPs properly assigned to servers and our firewall, with correct access, they were not pingable. We double checked our configuration, double checked that true IP subnet was checked, power cycled, etc.

It took a call and escalation to Tier 2, but apparently there is something else that blocks inbound traffic on the network side. It took a call in to get inbound ssh, https, etc to those public IPs.


This may or may not help your situation, but it was a big speed bump for us on the new Linksys router.

tgoyette
New Contributor

Re: SMC business class gateway in bridge mode with Static IPs

I am not sure if I misread your post, which was excellent by the way, but if I understood it correctly you configured the WAN port of your firewall to connect to the Comcast router. Why did you use the WAN port and not the Outside port?  Again, great post.

Community Manager
Community Manager

Re: SMC business class gateway in bridge mode with Static IPs

tgoyette,

 

Thank you for bringing this post by ramasan to our notice.

We appreciate ramasan's input and your comments on it.

 

Thank you!