WHS on Comcast Business Class with Static IP's

[Quigs]

Hello,
I am a tech. I usually do well with network stuff but, I am in over my head here. I am trying to run WHS (latest version) on a static IP to serve web pages. I have Comcast Business Class with 5 static IP's. They provided me with an SMC 8014 modem/router. By reading the forums on here, mostly yeoldestonedcat, I was able to successfully connect a Netgear WNDR3700. So, I have an SMC8014 running NAT 192.168.1 on an external .70 IP this serves my home and office network, and the Netgear WNDR3700 running NAT 10.1.10 on an external .69 IP. I want to put the WHS server behind the NAT on the WNDR3700, yet I want it to connect to the home and office computers. Should I have both routers use the same NAT and divide the DHCP between them? Is it best to configure the routers to share networks? Should I use two NIC's in the WHS server and configure them for both networks? I am not sure which is the best way to proceed. My main goals are security and speed.

I thank anyone for any input, Quigs

[Mark Brown]

if you are worried about security, the smc is the wrong way to be going. You can listen to whom ever you like on that, but the fact remains that the smc is not secure. not even after the recent patch. Having just gone through this with comcast themselves i can tell you that it is not likely to change anytime soon either. i found this out sitting in my girls house one night trying in vain to access my network servers at home. Movies on there and such you see. It dawned on me that i had never done any port forwarding on the smc. quick google search got the manual but nothing i did got me access to the gui. called comcast they said that remote access was not supported. however. when i asked about and access methodfrom the users manual to download aconfig file, i also very clearly heard the words"we dont have a way of blocking connection type xxxxxx or ports x0x0 or x1(he choked at this point and said sorry wrong section) but the web gui is not supported". so i set off on my quest to do what comcast said i could not. read about the flaws they recently patched. thought about it for a bit and having never used xxxxxx before, i now have access to both the vendor side admin gui and the user side. stupidest thing i have ever seen in my life. i got the vendor admin first. and it was a typo when entering the port number that started it all. you would think that once the default user/password combo showed up online they would change it. they did not. though it is not the combo found in all of the security bulletins posted everywhere, those changed with the patch. the current ones are posted on a couple of different forums. so to sum this up, 40 yr old fat bald white guy with no computer savvy at all with the help of a moronic tech support guy who said something he should not have accessed the vendor side, enabled remote management, and now have access to user side. i tried port x0x0, port x1, and many other ports as well. 1am tired not paying attention tried something like 71.xxx.xxx.xxx/10.1.10.1 port x1 the third or forth post of user/pass i found well thats what i thought i typed anyways. port was actually x1x1 i was greated by the display shown in the users manual. not the one that you see when connecting from home attached to the smc directly. you know, the one that says welcome to comcast business gateway? Nope the one i hit didnt say anything bout comcast, lots of smc splashed everywhere. and with a minor exception or two looked just like the screen shots in the manual. i know very little of computer stuff other than point and click and some atmel dumping and flashing with a touch of hex editing and timing glitching (still tellin dtv they can suck it) i still have no clue what the f your supposed to do with xxxxxx other than what i did, got lucky but it was enough. if i can do it over the course of many many hours, what makes you think that a guy who knows his stuff and wants to access your stuff couldnt? and probably a heck of a lot faster. and if someone out there reading this "knows" about these things and would like to refute this claim, and you have smcd3g ccr, please by all means private me your comcast assigned ip addy wether static or dynamic just long as it is current when i read it, and i will block your access to the net from the admin side till you ask me nicely to unblock it. believe comcast has received many calls from me on this particular issue. i have posted many places about this issue. nobody wanna listen. all they gotta do is change the password format. they change the password once in a great while but not the format. as in D0nt4g3tme to something like C0mCaSTsux the words change but the format naw stays the same, and please, do believe them when they tell you the b.s. about the mso password of the day crap. as they have stated to me on several occasions, the vendor mso password is changed on a daily basis, it is randomly generated by the system and only available to bus. tech support. that is the goto opening statement of every tech i have spoken to. they dont change very often at all. besides, even if they did. a custom dictionary based attack easy enough to obtain or even write a .dic file that will use appropriate numbers in place of vowels on a random basis and instert a single digit instead of the word 4 instead of for,four ect. takes about 6 1/2 hours to to burn through all the possible combination for a 10 spot password. upper/lower case, numbers, and the substitutions on an AMD Phenom II X4 3.2GHz 8gb ram, 10,000 RPM WD VelociRaptor. using rusbmit to split the processing load over multiple cores analyzing with proc means. so seeing as they have no intention of changing the format, unless the change the password multiple times a day as to come in under that 6 1/2 hour mark, the password can be gotten. nope, not gonna give ya the password dont matter who you are, nope not giving you the port. and by all means BELIEVE comcast and the people that gonna come along after this and flame, when they say your secure. I did it, do it on a daily basis, not going to stop doing it cuz i need it, untill i find a better alternative to the smc its what i got. though could put it in pass through mode and use the back end to handle firewall and sec.

[YeOldeStonecat]

So, I have an SMC8014 running NAT 192.168.1 on an external .70 IP this serves my home and office network, and the Netgear WNDR3700 running NAT 10.1.10 on an external .69 IP.s

Leave DHCP enabled on the SMC, just put all your computers behind your Netgear...don't put any nodes behind the SMC. Having them all behind the Netgear allows you to keep them all on one network.