Ok, so, here is a simplified version of what I'm trying to do. I have 2 static IP addresses. The main IP address (let's say it's 126.96.36.199) and the secondary IP address (let's say it's 188.8.131.52).
On my internal network, I have two computers. Let's call them 192.168.1.1 and 192.168.1.2.
I have several servers running on 192.168.1.1 and I want them to be accessible from the internet. I accomplish this on the 'Firewall' -> 'Port Configuration' -> 'Port Forwarding' page of the gateway. I set up several rules and everything is working as I would expect. A port scan of 184.108.40.206 from a machine on the internet shows that only the ports that I forwarded are open to the internet.
I have a few servers running on 192.168.1.2 as well and I also want them to be accessible from the internet. I want these servers to be available from the 220.127.116.11 address. To accomplish this, I go to the 'Firewall' -> '1-to-1 Nat' page. I click 'Add new' and then put in '18.104.22.168' for the public ip address and 192.168.1.2 for the private ip address.
On the 'Firewall' -> '1-to-1 Nat' page, the 'Disable All' box is UNchecked. The 'enable' button next to my new ip address translation is checked.
On the 'Firewall' -> 'Port Configuration' -> 'True Static IP Port Management' page, I have created one rule. I named it http_server2, port range 80 to 80, protocol tcp/udp, true static IP range 22.214.171.124 to 126.96.36.199.
On this same page, 'Disable all rules and allow all inbound traffic through' is UNchecked, 'block all ports and allow exceptions below' is selected from the dropdown and my new rule is 'enabled'.
Under 'Firewall' -> 'Firewall Options', the option 'Disable Firewall for True Static IP Subnet Only' is UNchecked.
Now, if I do a port scan of 188.8.131.52 from a machine on the internet, it shows ALL of the ports on 192.168.1.2, not just port 80 which I enabled! Which is to say, that the router is passing all traffic from 184.108.40.206 to 192.168.1.2. This is not what I want. I want all ports blocked except port 80 passed through. The above configuration seems the most intuitive for what I'm trying to accomplish, nonetheless, I've tried a few others, but, it seems no matter what I do, it's all or nothing. Either 220.127.116.11 passes everything through, or nothing through, depending on the configuratin I use.
Does anybody know how to get this working? Is this a flaw/limitation in the comcast supplied Business Gateway? Do I need to buy my own router to accomplish what I'm trying to accomplish?
Welcome Max_Power. The 1 to 1 NAT function is designed to forward all traffic from the public IP to the private IP. This is not a limitation of the gateway. Port filtering or blocking has to take place on the private network. The port forwarding function allows traffic to specific ports. You can assign the IP 18.104.22.168 directly to the device and remove 1 to 1 NAT entry or utilize a separate firewall/router for the added management and security.
Thanks for the response!
Can you tell me what the SMC ui page is used for that's located at:
'Firewall' -> 'Port Configuration' -> 'True Static IP Port Management'
Which looks like this:
If that page didn't exist, then I would totally understand that the SMC is only capable of passing the IP's through or directly mapping them to intranet IP's. But, the existence of that page mentioned above seems to indicate that the SMC is capable of acting like a port filtering firewall for the 22.214.171.124 address.
I blurred out my lines to protect the guilty, but, in the parlance of this discussion, one of the lines would look like this:
http_server_2 80 TCP/UDP 126.96.36.199 (enable is checked)
Whether I configure the SMC to NAT 188.8.131.52 to 192.168.1.2 or if I configure my second machine to use the ip address 184.108.40.206 and disable 1-to-1 NAT, the rules on this page seem to have no affect. Either all ports are passed or none are passed. So, that being the case, what that page used for?
Ok, never mind. I think I understand how this works now. Basically for additional static IP address your options are as follows:
1) Use 1-to-1 NAT to map the external static IP to an internal IP. In my example, 220.127.116.11 would be mapped to 192.168.1.2. When using this method, everything is passed and no firewalling or port blocking is possible (on the SMC that is. You can always throw in your own additional equipment to act as a firewall of course).
2) Set your internal equipment to use the actual external IP address. In my example, the machine at 192.168.1.2 would be configured to use the IP address of 18.104.22.168 instead. When using this example, firewalling and port blocking can be performed. This is set up on the 'firewall' -> 'Port Configuration' -> 'True Static IP Port Management' page of the SMC UI.
Thanks again, John, for your assistance.