Setting up static IPs using a Comcast Business Gateway

[siggma]

Hey there. Yup Comcast's Customer Support was pretty prompt in handling my case. So I have the following setup now.

1. My router is connected to the SMC Gateway and has a public IP assigned to it
2. My Web Server is connected to the router and it has an internal IP (NAT)
3. I have allowed access to the Web Server by port forwarding port 80 requests on my router to the web server (using the internally assigned permanently leased DHCP generated IP address). In addition to this I had to configure port forwarding on the SMC gateway (True Static IP Management) to forward port 80 requests to the external static IP that my router is at. Without doing this even though the router was configured to pass all http (port 80) requests to the web server connected to it, it was not doing so, the gateway had to be configured too.

The last step poses another question for me, in this case how would I be able to have an additional Web Server serving http requests ? Port 80 on the SMC gateway is already pointing to the router.

After reading most of this thread it's become apparent that some of you don't comprehend what a "Router" is used for. Comcast has perpetuated some myth's in stating you can plug an additional router into the gateway.

Why would you ever want to plug one router into another router?
To add more NIC ports? NO, use a hub.
To get more addresses? YES, in very, very rare circumstances.
But you'd have to have thousands upon thousands of local computers on the local network to warrant adding a second router and it's subsequent additional NAT overhead.

NAT (Network Address Translation) is not free. It adds overhead to the TCP/IP protocol making packets headers longer than necessary. The Gateway is already a router and a NAT Firewall. There is no need to use a second device between your web server and the public internet.

Using the SMC Gateway Cable Modem you don't need a second router to serve pages to the internet and you don't need a separate router for other computers on the Gateway to use the internet. You can use the existing public IP of the gateway as long as you don't have any other service running on port 80 (web browsing is not a service, a web server is a service. NTP is a service, FTP is a service, SMTP is a service, POP3 is a service, IMAP is a service.). If you want to set up a second web server (Why???) plug it into the gateway, assign it a unique subnet IP (10.1.1.101) and use one of your other public IP addresses. Then forward port 80 for the second IP to the second web server. Using the SMC Gateway you can easily run four concurrent web servers. But again, why would you want to do such a thing? Even the fastest Comcast connection can be easily saturated by a moderate P4 or newer home computer running Apache2 or even IIS. And let's not forget torrents or emule.

First off I suggest you not use any version of IIS for web serving. Even Microsoft uses Apache2 for a web server on some of their sites that don't require MS specific services because it's just plain faster. IIS requires twice the RAM as Apache2 and its still slower. Apache2 runs under Unix, Linux, OS/X, PPC, and Windows on Sparc, Sun, Intel and AMD hardware and probably others so there is no reason to even install IIS. Plus, Apache2 is nearly free. (Do make a donation if you use it!) My home server runs Apache2 and uses a whopping 200-+ Meg of RAM on a 2Gig system. The remainder of the RAM is for disk cache. You need enough RAM in a web server so it almost never swaps. Swapping is the bane of any web server. Many Admins turn swapping off if they are confident the server will never need it. Mine can run for weeks without a single byte written to the swap file. If I see any swapping activity I check my logs. It usually means my configuration is messed up.

Onwards...

SMC Gateway Web Server; It's this easy:

1. Plug the web server computer directly into the gateway.
   
2. Configure it with a static IP on the same subnet as the gateway's DHCP server. Just make sure it's outside the DHCP range or you might end up with duplicate IP warnings and network failures/Gateway lockups. If the DHCP range is 10.1.1.10 to 10.1.1.50, 10.1.1.100 would be an appropriate address for your web server. Do make sure it's on the same subnet. Don't use 10.2.1.xx or 10.1.2.xx you'll have communication issues.
3. Always use 255.255.255.0 for the netmask everywhere unless you know EXACTLY what you are doing.
   
4. Set the DNS address of the server to the SMC Gateway IP (10.1.1.1) or whatever it is.
5. Set the Gateway address of the server to the SAME IP as the DNS above. In this case the Gateway serves as both your DNS and internet Gateway because it's acting like a computer itself. All data is passed between the gateway and the public IP. That's why it's called a Gateway.
   
   Alternatively you can look in the Gateway setup and set the DNS and Gateway addresses on the server to the values from the Gateway's public IP but it's unnecessary and one more thing to remember if you move the thing.
   
   
6. Navigate to your Gateway administration page in a browser and forward port 80 to the static IP of the web server. It's that simple.

Notes:

• Adding a second "gateway" or "router" between an existing gateway or router and your server makes it nearly impossible to debug communication issues. It also adds significantly to the TCP/IP packet header (sent with every 1500 bytes of data) and forces you to change port forwarding in up to three different devices if you want to make changes to your ports.
• Keep it simple. Read up on IP addressing schemes and make sure you know the difference between DHCP and DNS.
  If you are forwarding port 80 through a router you can disable the firewall on the server.
• There are two private network address ranges that are forbidden or ignored on the internet.
  192.168.x.x - 192.168.255.255 (65,536 addresses) is intended for personal home computers and small local networks.
  10.0.0.0 - 10.255.255.255 (1,048,576 addresses) is intended for campus sized networks for large corporations and educational institutions.
  REFERENCES

Lastly you can read some of my experiences with Debian/Apache2 here:
http://www.trbailey.net/tech/iptables.html

I currently run a home server at trbailey.net using a DSL modem and a web server. In my case the server acts as the "Gateway". No separate router, no hardware "Gateway". I ran across this post looking for experience setting up the Comcast Gateway I'll soon be using.
-Tom

[YeOldeStonecat]

After reading most of this thread it's become apparent that some of you don't comprehend what a "Router" is used for. Comcast has perpetuated some myth's in stating you can plug an additional router into the gateway.

Why would you ever want to plug one router into another router?
[*]Set the DNS address of the server to the SMC Gateway IP (10.1.1.1) or whatever it is.

You're missing the point of IP mapping. Matter of fact this is why the first IP address that Comcast assigns you is available for you to use on your own device. Thus your own router is getting the public IP address mapped to its WAN IP address. You are not double NAT'ing in this situation.

The SMC "gateway" is quite limiting. Suppose you want a much better router with substantially more features than that wimply little SMC can provide (not unlike the horrid SBC/ATT Yahoo "2Wire" gateways you get with DSL), or a UTM appliance.

Use the IP of the SMC for your servers DNS? Ever work with active directory before?

[siggma]

You're missing the point of IP mapping.

What, exactly, is "IP Mapping"?
Are you referring to "NAT" or a "Virtual IP"?
Can you provide a reference?

Matter of fact this is why the first IP address that Comcast assigns you is available for you to use on your own device.

Making sure we're talking apples and apples. The discussion is about Comcast Business Services, not residential. And what you say is apparently not correct. Generally speaking the gateway itself owns the static IP, not the device it's plugged into. The cable modem and some DSL modems as well, are configured when you turn it on by a BOOTP process. See: HERE for a discussion on how a docsys modem boots.

In any case, you cannot (apparently) plug in a Comcast SMC modem to NIC1, then assign your assigned static IP to NIC1 because the modem already has the address. It's not just a modem, it's a diskless computer in a box with an embedded router and firewall. It might even run a linux kernel...

Thus your own router is getting the public IP address mapped to its WAN IP address. You are not double NAT'ing in this situation.

Huh? Mapping?
No two devices on any network can respond to the same IP address or you get a huge collision, a hardware error and quite possibly a device lockup. Are you referring to bridged mode, where the router portion of the device is disabled? Apparently Comcast does not publicly support fully bridged mode for their gateways.

If the Gateway has a public IP and the external router requests a DHCP IP, or you assign it a static IP, the IP for the router will be NATTED through the gateway which adds overhead. Then any devices you plug into the router will be NATTED again, adding more overhead. If you then share the connection through the device plugged into the router you'll be NATTED one more time. Unnecessary overhead.
So again, huh?
And again, again, why?

Comcast business services is non standard when it comes to modems. The SMC Gateway modem itself has A (as in single) public IP, not the interface it's plugged into which is where much of the confusion comes from. I don't know for sure but they may share this special Gateway IP with many different modems when you request "bridged mode". In actuality I suspect it's configuring the gateway as a DHCP server so it will assign the range of static IP addresses that you purchased to the devices that are plugged into it, according to their MAC (hardware) address. In this case it's not using NAT, it's acting as a non standard local DHCP server for your local network. See: HERE. While the Comcast Business Services SMC Gateway apparently does not boot as a standard docsys modem, it does rely on the docsys standard to download it's configuration and assign itself an IP. I've read that you can whine at comcast and they will set your account up using a "Sticky" DHCP address. That way it works like a residential setup only it is always assigned the same IP making it "static", which is what I'm going to request when they do finally get here. The stick DHCP solution has the advantage that you don't need a gateway modem at all. You can use a standard docsys cable modem and set your server to DHCP and it will always get the same IP address. But, it will only work with a single IP.

Unlike an Actiontec DSL modem where I can place the modem in bridged mode and it acts like a dumb modem. No address, no gateway, no firewall, no NAT, no nothing. Just like an old dial up modem. However, the Comcast gateway downloads a Comcast specific custom configuration file upon booting. This configuration file assigns the Gateway itself an IP. It then translates the public static IP (using NAT) to an internal network address.

The SMC "gateway" is quite limiting. Suppose you want a much better router with substantially more features than that wimply little SMC can provide (not unlike the horrid SBC/ATT Yahoo "2Wire" gateways you get with DSL), or a UTM appliance.

It seemed to have rather extensive port configurations to me. Host, domain, IP, even URL blocking plus standard port forwarding and of course, routing tables. What else do you need in a router?

And, you can always set it to DMZ use the firewall and routing facilities of your server or desktop.

Use the IP of the SMC for your servers DNS? Ever work with active directory before?

192.168.0.1 is the default address
Windows internet sharing does this.
Nearly all commercial routers do it this way.

And, DNS is not the same as WINS. Active Directory uses a separate WINS server to find Windows specific services. If you have a windows domain server it will contain a WINS server and you'll need to configure it's IP separately on a Windows box. And the domain server can use the gateway IP for it's upstream (internet) dns. But since most web servers don't care about active directory services it's not really germain to this topic. Not to mention it's way beyond the scope of this discussion.
-Tom

[YeOldeStonecat]

When you sign up for a static business account with Comcast, refer to the information sheet that you are given. Compare the IP that the SMC obtains on the WAN interface, with the IP's in the block that are assigned to your account and are available for you to use.

No kidding 2x devices on the same network cannot have the same IP address, I never stated they would/should.

I think you need to go through a few dozen Comcast biz account setups to get familiar with their process.

I never stated the SMC would be reconfigured as a bridge either, versus how I setup hundreds of DSL modems. Again, refer to the IP that the SMC obtains, and the IPs you're given in your account info sheet from Comcast when you sign up.

And the default LAN IP for the SMC is not 192.160.xxx.xxx

siggma:"And, DNS is not the same as WINS. Active Directory uses a separate WINS server to find Windows specific services. If you have a windows domain server it will contain a WINS server and you'll need to configure it's IP separately on a Windows box."

Huh? Not true since quite a few years ago.

WINS...ahh good OLD WINS. WINS is long dead dude! Since Windows 2000/Server 2000 came out, WINS has been retired as a means of name resolution across a LAN. DNS does it all. WINS was used in the old NT 4 days, and sometimes it's used if some networks (god forbid) still have Win9X clients around for some who knows why reason.

When running active directory, your servers must...MUST..use the IP of the domain controller as their DNS server, and workstation clients MUST use that IP as their DNS server. So if the DC for the LAN has a LAN IP of 192.168.1.10, it MUST use itself as the DNS server in its TCP properties, and workstations must use 192.168.1.10 for their DNS server. If you replace .10 with the .1 address of the gateway, active directory will break, no name resolution, no proper AD logins, slow logins, all sorts of issues. The network will be broken.

[siggma]

It sounds like you're more interested in being "right".

TCP/IP networks are complex entities, and purposefully so. With greater complexity comes greater potential opportunity. There are many different ways to set them up. The topic is getting a web server to work through an SMC Gateway/Router via Comcast Business Services.

My statement that it's unnecessary to use a second router still stands.

You never provided any references for the term "IP Mapping". Google provides links to ip to map coordinate sites for the term.
I think you're referring to "Network Address Translation".

[YeOldeStonecat]

My statement that it's unnecessary to use a second router still stands.

You never provided any references for the term "IP Mapping". Google provides links to ip to map coordinate sites for the term.
I think you're referring to "Network Address Translation".

And I never said I like to double NAT either. Matter of fact...none of my clients are even on double NAT. You're missing the point when you "bypass" that SMC gateway and static assign the public IP address to your own firewalls WAN interface.

My statement that WINS is outdated and no longer commonly used still stands.
My statement that DNS provides local network browsing/name resolution still stands.
My statement that you need to look at your Comcast IP block information sheet still stands, and while at it..compare the WAN IP of what the SMC device gets....against the first IP in the sheet Comcast gives you. That's your first clue.

I've done around 25 maybe 30 setups on Comcasts biz product. The methods I've adopted in setting up there devices are based on listening to their techs recommendations in setting up your own router on their devices.

No it's not NAT.....I think you need to go through a few comcast biz setups and see what I'm talking about.

Web servers.....I would never...ever...put a web server inside of a basic NAT router alongside of my primary business network. Might as well remove the NAT and firewall....because your network is almost as exposed by that method. Orangee zone those web servers if you must host them on your own premises. Or..isolate them on their own behind their own routers, so that they're separated from the business network.

[siggma]

Ok, having successfully installed my Comcast SMC Gateway in "passthrough" mode without any external routers of any kind, here is how I did it. It's even easier than I thought.

As I suspected, the SMC gateway can operate in several different modes. That's why Comcast uses them, they are very flexible.

As a simple gateway (not for running services) it boots and request an ip from the "head". In this case the Gateway owns the single IP address. It then uses NAT to translate that public IP to network 10.1.10.x on the lan side of the Gateway. This is nearly identical to using a regular cable modem with an external router. The gateway has some internal features that a standard Linksys router does not, but it's operates in a very similar way. In this mode your firewall is in the gateway so you are limited by what it offers. This means you cannot load external firewall modules like TARPIT (a nasty way to discourage hacking) or conntrack (connection tracking/logging) or connlimit (connection limiting). Personlly I'd only use this if I were going to provide internet access only to a business.

As a gateway in "passthrough" mode it boots and requests two IP addresses. One for the gateway itself (so they [comcast] can address it) and one for YOU. It then assigns the lan interface the single static IP address you purchased from comcast and uses the gateway IP for it's tech interface. This is the mode I chose. I also disabled the firewall and router in the gateway since I already have my linux server set up as an effective firewall router. I also turned off the DHCP server in the Gateway since I already have one on my server as well.

To configure MY static IP address I simply assign the NIC on my server the IP they gave me, paying special attention to the nonstandard netmask and off It goes... I did have to fiddle with DNS servers since comcast supplies only lookup services on their DNS.

If I need or want a second static IP all I have to do is call. They edit the configuration on the "head" for my account and next time I reset the modem I get TWO static IP addresses on the LAN side. I would then add a second IP to the existing NIC or plug the Gateway (hub) into a second server and assign the NIC in that server the second IP address. I may end up doing this since comcast does not provide authoritative DNS servers for their business clients and I'd like to fiddle with having my own Authoritative DNS server for my puny little domain.

As for using this with a domain controller. The process is no different. Tell comcast you want your static IP(s) on the LAN side (up to 13 addresses) and let them do their setup on the "head". Reboot the gateway and vuala, your static IP(s) automagically appear on the LAN ports. Assign your domain controller(s) one or more static IP's and let er rip. You would then point your Windows CLIENTS at your domain controller through a hub or routers if you have that many windows clients, and let it/them serve ALL your network needs, including internet. There is no reason for a windows client box to even touch the gateway except through the domain controller. Setting up internet sharing on a domain controller is as easy as checking a few boxes in the configuration application. It's been a while since I had a version of Windows Server 2xxx running here. I dropped it because it was so slow and at the time it did not have good support for PHP.

And again, there is no need for an external router between the SMC and yoru servers, the SMC gateway is already a router.

As for address "mapping", there is no such thing. The gateway has two Ethernet interfaces in it. One on the cable side and one on the LAN side. They cannot both have the same address. When you request passthrough mode comcast writes a config for you on the "head" that requests two IP addresses. One for the gateway itself (cable side) and a second for the gateway to assign to the LAN side. They need that gateway IP (it's unusable to you except to gain access to the gateway web interface) so they can do remote testing and check your setup if it's buggered up. It's not used in any way for internet communications.

And that's the scoop. I'm writing this on my Vista desktop hooked directly to my internet server in the next room. My server is plugged directly into the gateway as this picture will verify. I have three NIC's in the server. One is a gigabit for my desktop, the second is unused and the third is my comcast gateway. It's a mess at the moment and I don't have a nice utility closet for a rack of Intel Xeon Quad core IX5 Server boards but it's home and it works.
-Tom

[siggma]

And I never said I like to double NAT either. Matter of fact...none of my clients are even on double NAT. You're missing the point when you "bypass" that SMC gateway and static assign the public IP address to your own firewalls WAN interface.

---snip---

I've done around 25 maybe 30 setups on Comcasts biz product. The methods I've adopted in setting up there devices are based on listening to their techs recommendations in setting up your own router on their devices.

No it's not NAT.....I think you need to go through a few comcast biz setups and see what I'm talking about.

I have gone through the setup and I still say NO to unnecessary external routers. Your Domain controller IS a router.

I think it might be a bit of confusion on your part about how the Comcast Gateway's work. See my post and ask comcast.

It also might be confusion on your part about how a firewall operates. It's nothing like the firewall they describe on, say, Stargate Atlantis...



Are you trying to convince us or are you interested in learning and developing your skills.

Web servers.....I would never...ever...put a web server inside of a basic NAT router alongside of my primary business network.

Not sure what you mean. Physically or in address space?
Isn't this exactly what you're describing,?

SMC Gateway->LinkSys/Cisco router->clients / servers

Is there perhaps an easier, less confusing way for you to do these setups?

SMC Gateway->Domain Controller->Windows Clients

Windows Domain Controllers have a stellar firewall and are RIP2 routers to boot. Making external routers unnecessary overhead. They are not as flexible as Linux with Iptables & tc but they have most of the features you'd want in a high quality commercial grade network firewall.
-Tom

[YeOldeStonecat]

As a gateway in "passthrough" mode it boots and requests two IP addresses. One for the gateway itself (so they [comcast] can address it) and one for YOU. It then assigns the lan interface the single static IP address you purchased from comcast and uses the gateway IP for it's tech interface. This is the mode I chose. I also disabled the firewall and router in the gateway since I already have my linux server set up as an effective firewall router. I also turned off the DHCP server in the Gateway since I already have one on my server as well.

I have gone through the setup and I still say NO to unnecessary external routers. Your Domain controller IS a router.

I think it might be a bit of confusion on your part about how the Comcast Gateway's work. See my post and ask comcast.

It also might be confusion on your part about how a firewall operates. It's nothing like the firewall they describe o
Web servers.....I would never...ever...put a web server inside of a basic NAT router alongside of my primary business network.
Not sure what you mean. Physically or in address space?
Isn't this exactly what you're describing,?

SMC Gateway->LinkSys/Cisco router->clients / servers

Is there perhaps an easier, less confusing way for you to do these setups?

SMC Gateway->Domain Controller->Windows Client

Exactly..you're almost getting my point. However, you'll find most IT guys that setup and support networks for businesses will not want a Windows server exposed on a public IP address. If you like running your Windows Server multi-homed doing RRAS..fine, but most of us in the community do not. Even if it were running ISA...too much maint and constant monitoring and patching. We prefer to keep our clients network fully protected behind NAT..and then some.

Do you do any work in consulting/supporting SMB networks? If you do, and you prefer the method of having your clients Windows servers and workstations on public IP addresses...wow, I hope your clients don't have much for information and can afford downtime while formatting machines on a regular basis.

You argue against using your own router behind the SMC...yet you quote "This is the mode I chose. I also disabled the firewall and router in the gateway since I already have my linux server set up as an effective firewall router."

I take the first public IP address from the block of 5 that Comcast assigns my client..and I assign that to the WAN/RED interface of a firewall/router that I put in place. This way the entire network is protected from the internet.

"External routers additional overhead?" Yet another service I don't want on a domain controller..besides the massive increase in a DC coming under attack from the internet, it adds overhead. We want our DCs running lean and mean doing basic infrastructure roles for our clients network. We don't use home grade routers either, we use business grade hardware at the minimum..so there's no performance loss here.

The basic mindset here...the SMC appliances used by Comcast are insufficient for most of my clients needs, sure they're fine for the average home user and very small business networks. But I, as well as many other techs, prefer to use superior routers/firewall instead of the SMCs.

Webservers...you'll find most IT consultants don't want webservers on the same LAN as the primary business network. Webservers are a huge security hole for the network.

What you're calling "passthrough mode"...you don't have to request that at all. When you sign up for a static biz account with Comcast...the modem getse installed. You are handed a sheet of paper with the details of your IP block they assign to your account. From that point on, you do what you want. Either use the SMC in its default mode..plug your network into it, your network gets a 10.1.10.xxx address..and yes you can indeed surf the internet. You state "It's not used in any way for internet communications."...that's not true, I can go to any of my clients..plug my laptop into the back of the SMC and my laptop will pickup a 10.1.10.xxx address..and I can surf the internet on the IP address the SMC has on the internet (which is a different IP from the static assigned IP to my firewall). That's the ease of leaving DHCP enable on the SMC..you actually don't have to disable it, since if you're using your own router with your assigned static IPs and you plug that info into the WAN interface of your own router.

[siggma]

Moved to a new thread, see here:http://forums.speedguide.net/showthread.php?t=262721

[antseo]

Hi. If I could piggyback on this thread and receive some help that would be great. I had a Juniper firewall tech come in to set up my new Juniper firewall. He installed 2 subnets..subnet 1 for personal use and subnet 2 for business use. I'll be setting up a new web server on subnet 2.

I do have comcast business line as well and 13 assigned to me according to the comcast tech that came out and set me up. I also called a business line tech last night to confirm that indeed those static ips were assigned to me. He comfirmed they were. He had me do an exercise where I ran the cable directly from the comcast modem to the laptop and we plugged in the tcp/ip settings and we confirmed the ip assigned to me came up (I believe in ipconfig in cmd prompt but I can't remember).

The problem arose after the firewall was set up that the ip showing up for us was not the ip assigned to me. It appeared to be an ip starting with 10.1.x.x but not the static ip assigned to me.

Also, a concern that this tech that installed the firewall had was that my name was not listed in the Arin Whois database for this range of ips. Comcast is mentioned in top and bottom lines. He said my name (or my company) should be on the bottom line. Is that correct? Should my name be listed there?

I also am going to be repurposing 2 other machines as dns servers into subnet 2 but this whole ip/firewall issue needs to be resolved first. The tech is coming back out tomorrow evening to figure out why the modem is sending the firewall the wrong ip (again, it's sending it the 10.1.x.x ip).

Also, my phone service is not working as a result of the firewall being setup. Not sure if anyone has insight into a fix on that too.

Any help is appreciated greatly.

[siggma]

The address you see (10.1.10.x) is from the Gateway. In default mode it generates an internal address via NAT.

To use a static IP, on the computer you plug into the interface, assign it one of your Static IP addresses. Also make sure you use the correct netmask and DNS servers from your Comcast sheet. It should then be "public", assuming you have a domain name registered and an A record pointing to your static IP.

[YeOldeStonecat]

Hi. If I could piggyback on this thread and receive some help that would be great. I had a Juniper firewall tech come in to set up my new Juniper firewall. He installed 2 subnets..subnet 1 for personal use and subnet 2 for business use. I'll be setting up a new web server on subnet 2.

I do have comcast business line as well and 13 assigned to me according to the comcast tech that came out and set me up.

Your setup is quite similar to all the prior posts in this thread, the 10.1.xxx.xxx is standard for the SMC. What you do with your 13 static addresses is up to you, but you have to go in and assign devices those additional public IP addresses. By default you don't have them.

What model Juniper?

[antseo]

The model number Juniper is the SSG5 with auxiliary backup. Just got it this week. It's using version 6.x I believe.

Where in the Juniper admin ui do I assign those static IPs? Which link in the tree nav do I go?

Also, any idea why my phone line is not working?

Also, is it a big deal that my company is listed in the Arin Whois DB? Users should be able to find my dns servers once I set those up, correct? This tech mentioned something about a reverse dns lookup but I don't know what that is about.

[antseo]

sorry, need to rephase that last question.. should be.. Also, is it a big deal that my company is NOT listed in the Arin Whois DB?

[YeOldeStonecat]

With your block of 13x static IPs....how you setup your network is dependent on a few things.
*How large will your network be?
*What "services" do you need to have on public IP address(es)

Once you kind of have an idea of what you expect out of your network, I'd have the Juniper tech come back..hand him that information about your static IPs from Comcast, and work with him on coming up with a network design and how to best implement the services you need, with your setup. I'd also include mentioning your phone service, since you say it stopped working once the firewall was up, I'm guessing you have a VoIP phone service? The guy that setup the Juniper needs to know that info, so he can setup the QoS 'n such for your VoIP service.

If you go to www.whatismyip.com is the IP address that shows up one of the IP addresses in your block from Comcast?

[antseo]

yes, I'm using voip using T-mobile @home service. They provided the Linksys router.

If the firewall is set up and I go to www.whatismyip.com, it's not one of my assigned static ips.

How would he set up the QoS and where is done.. in the linksys router settings, firewall settings?

[YeOldeStonecat]

Oh they have a Linky router too? Or just their VoIP box? How is that interfaced into the network?

[antseo]

not sure about that. T-mobile came in and installed the t-mobile@home service and set up the linksys router. now according my tech guy, the router has nothing to do with ip issue. the modem is not passing the correct ip to the firewall supposedly. when I plug in the cable directly from the modem to the laptop and change the tcp/ip settings, I get the correct assigned ip at www.whatismyip.com. When I remove those tcp/ip settings and plug in the firewall, I get the dhcp ip from comcast. So..

Subnet 1 = modem -> router -> subnet 1 on firewall which is personal
Subnet 2 = firewall (which is business) -> Internet port on linksys router

[YeOldeStonecat]

Usually with VoIP boxes, I'm not familiar with the ones from your provider, but I commonly setup similar ones from Vonage and other services in my area. The unit they send you is a router itself, but you can use it behind your current router just fine. It will have colored ports on it, probably blue and yellow, if you're using it behind your own router you use just 1 of those ports. Probably the yellow one, just uplink it to your primary switch which is plugged into your main router.