Setting up static IPs using a Comcast Business Gateway

[antseo]

Also, the comcast tech couldn't ping us. What does that indicate?

[YeOldeStonecat]

I'm surprised they gave you the internal IP of the SMC as your gateway, none of the setups I've done are like that. The gateway is an IP whose first 3 octets match the public IP address that I'm setting up (refer to my example post a few back).

Maybe call them and double check?

If you'd like to PM me the information Comcast gave you on that sheet.

Sometimes they do get a new kid who does the onsite install, and I suppose he could jot down the incorrect information for you.

If it's not setup properly, that explains why they get no replies when they ping you.

Back in a few (yes still haven't left yet)

[antseo]

Ok, I'll find out.

[antseo]

what is your PM handle?

[antseo]

I think the issue the SMC box. The static IP comes from the cable which is fine. however, once inside that SMC box, it translates it 10.1.10.x and I can't change it, neither can the tech at comcast supposedly. It's by design I'm thinking so that they can control it. I need to pass my static ip to the firewall but can't. I can't control the ports, set up mips nor vips from the firewall because of this issue. I'm stuck. Do you know of a way for me to control and change that gateway ip from inside the SMC management console?

[YeOldeStonecat]

Quote:

Originally Posted by antseo

I think the issue the SMC box. The static IP comes from the cable which is fine. however, once inside that SMC box, it translates it 10.1.10.x and I can't change it, neither can the tech at comcast supposedly. It's by design I'm thinking so that they can control it. I need to pass my static ip to the firewall but can't. I can't control the ports, set up mips nor vips from the firewall because of this issue. I'm stuck. Do you know of a way for me to control and change that gateway ip from inside the SMC management console?

The default IP address that Comcast gives you..I forget the name, it's like the service IP..but it's not a public IP from your block...that gets NAT'd by default to the 10.1.10.xxx scheme behind the SMC.

BUT...when you manually assign your own IPs to your own firewall, and uplink those to the SMC, they BYPASS the SMC, the SMC is out of the picture as far as a NAT box. That 10.1.10.xxx is no longer in the picture. It's IP mapping, or 1 to 1 NAT. Cable modems can work with several public IP addresses.

If you're still typing on 10.1.10.1 for your gateway...I'm 99% sure that's your issue. Just select my name in hte drop down menu and "Send a PM"

[antseo]

Ok, so how would I uplink those IPs to the SMC?

I also received the login credentials just now from the comcast tech to log in the SMC management console. Would I need to change the 10.1.10.x ip in there to my static ip?

I'm inputting in the correct IP in the firewall ui (and chooseing Static IP)..just can't get internet access when I do.

[antseo]

I see from another thread on another site, you mention..

"log into the SMC at 10.1.10.1, username:cusadmin, password:highspeed, disable firewall features..and then I uplink my own firewall into the SMCs LAN port..and assign my first usable static IP address on the WAN interface of my firewall."

Also, do I contact Comcast to request passthrough mode? I noticed Siggma above mentioned he had to do that?

[antseo]

Just got an email from comcast tech saying doing the above will allow the SMC gate to be in bridge mode. Again, I just need to pass that static ip to the juniper firewall.

[YeOldeStonecat]

Quote:

Originally Posted by antseo

"log into the SMC at 10.1.10.1, username:cusadmin, password:highspeed, disable firewall features..and then I uplink my own firewall into the SMCs LAN port..and assign my first usable static IP address on the WAN interface of my firewall."

Also, do I contact Comcast to request passthrough mode? I noticed Siggma above mentioned he had to do that?

That quote looks familiar!

I've never had to contact Comcast to request setting the modem into some mode, by following the instructions Comcast gave me..logging into the 10.1.10.1 address with cusadmin etc...THAT's all you need to do.

Actually it's not needed if you just need internet access. You don't even have to do it. If you want to run a web server (port 80), or a mail server (port 25)...you need to do this so the firewall doesn't get in the way.

[antseo]

yes, that's what I need. I'll run a few server including web server, dns server, email server.. I have a juniper firewall between the SMC router and the servers. The gateway ip is being passed to the firewall, not the static ip for me to control the ports, set up wips and vips. So you're saying that disabling the firewall in the SMC and uplink my own juniper firewall into the SMC's LAN port. Is that correct? So I need an ethernet cable from the firewall to the SMC, correct? There are 4 ports on the SMC router. which one? Port 1? Do you have time to IM chat this evening?

[antseo]

I have spent the last 3 days with a tech and on the phone with comcast. This is what I've learned..it can't be done. That darn SMC wants to be the primary firewall and my juniper will always be the secondary. Plus the SMC doesn't have a WAN port on it like the residential ones do. I logged into the SMC ui and there is no WAN link to control it. I need WAN to WAN but am getting LAN (SMC) to WAN (juniper).

For my 13 ips I used /28. Trying the Natting..didn't work. They say businesses are using the SMC device just fine but I'm thinking what they're not telling you is that yes these companies are using their business services and enjoying those static ips and download/upload speeds but they don't realize that SMC device is acting as their primary firewall which I don't want. I want to use a more robust firewall that is an industry standard such as the juniper firewall. Businesses are happy because "hey, it acts as a router AND a firewall..cool we're safe!"..in fact, no not really. Their susceptible to being hacked.

I disabled the SMC firewall inside the ui..doesn't matter. Won't work. Packets of data are not being routed. I'm going to ask if I can downgrade to a modem with a WAN on it and ask them if I can control my own firewall. Otherwise, Qwest DSL here I come..I know other developers who have web, dns servers using Qwest just fine (as long as your zip is within the right distance of course). There is a WAN on the Qwest modem. I can't ip mip nor ip vip with this comcast SMC configuration. They got me giddy on the download and uploads speeds but IT WON'T WORK! - my 2 cents

[YeOldeStonecat]

Quote:

Originally Posted by antseo

I have spent the last 3 days with a tech and on the phone with comcast. This is what I've learned..it can't be done. That darn SMC wants to be the primary firewall and my juniper will always be the secondary. Plus the SMC doesn't have a WAN port on it like the residential ones do. I logged into the SMC ui and there is no WAN link to control it. I need WAN to WAN but am getting LAN (SMC) to WAN (juniper).

For my 13 ips I used /28. Trying the Natting..didn't work. They say businesses are using the SMC device just fine but I'm thinking what they're not telling you is that yes these companies are using their business services and enjoying those static ips and download/upload speeds but they don't realize that SMC device is acting as their primary firewall which I don't want. I want to use a more robust firewall that is an industry standard such as the juniper firewall. Businesses are happy because "hey, it acts as a router AND a firewall..cool we're safe!"..in fact, no not really. Their susceptible to being hacked.

I can assure you that's not the case, I have quite a few clients on this setup, and when I encountered my first SMC gateway years ago, this is how the Comcast tech set me up on it. In one or two troubleshooting instances with other clients the Comcast techs followed this setup. And just a couple of months ago while setting up another client behind the SMC and putting in my clients own Cisco SMB router, the Comcast tech was onsite and stood over me as I did the setup..attempting to guide me through the steps but having done so many I had it memorized and flew through the steps ahead of him.

In no ways are my clients own routers some sort of secondary firewall, they all have their own public IP address and are providing services on that IP..I can ping them and get replies, I can VPN in, I can remote web workplace in, I can administer the firewall remotely...all that stuff.

As a test...can you get some "other" broadband router like some home grade Linksys just to run some test?

I'd all Comcast and ask for a higher level tech support. I'm surprised, the times I've called them they're fast and very sharp, one of, if not THE, best support of all the ISPs I work with. And that's quite a few different ISPs I deal with on a frequent basis.

Tell them you need to use YOUR OWN router as your main router, bypassing the SMC, and using one of your assigned public IP addresses.

I'm wondering if you have some different package, just a single static IP account, with 13x usable internal addresses or something like that.

[antseo]

The SMC doesn't have a WAN on it. Doesn't that matter? I tried to request tier 2 support, but once I mentioned I was using my own Juniper firewall, the entry level support couldn't create the ticket. not sure why.

As I said, I brought in a certified Juniper tech person who says the SMC is the hurdle. He says he can't ip mip and ip vip because of the SMC device and that its not sending the packets to outside world.

I'm on a business account, not residential. Maybe that's the difference. Also, does the SMC have WAN settings in the ui? The entry level tech at comcast was surprised at that.

[YeOldeStonecat]

Quote:

Originally Posted by antseo

The SMC doesn't have a WAN on it. Doesn't that matter? I tried to request tier 2 support, but once I mentioned I was using my own Juniper firewall, the entry level support couldn't create the ticket. not sure why.

As I said, I brought in a certified Juniper tech person who says the SMC is the hurdle. He says he can't ip mip and ip vip because of the SMC device and that its not sending the packets to outside world.

I'm on a business account, not residential. Maybe that's the difference. Also, does the SMC have WAN settings in the ui? The entry level tech at comcast was surprised at that.

I'm onsite at the client whom I posted those screenshots of their server room.
I'll take a few screenies so you can see...I'll post screenies of the SMC and its "whatismyip.com" address, as well as the interface of the Untangle UTM firewall on the next IP address.

You don't need a WAN port for the SMC, it's a combo modem/router...so the WAN is the coax in a way.

[antseo]

but my issue is that I'm trying to set it up passthrough mode and allow my Juniper firewall to be the primary firewall. It's not working. I have a conference all today with a SMC engineer and manager to see what they can do for me.

[sbradbury]

you are way overthinking this.

Assign the public IP address provided by comcast to the WAN interface on your juniper firewall and plug it into the comcast gateway. It will work fine, you don't have to change anything on the cable modem at all.

[antseo]

This is still not working and I have 2 smart guys working on this. What they are telling me is the issue lies with the SMC. We need to able to add multiple DMZ to juniper firewall. We need to set up different ips on different boxes and route it through the juniper. The 13 ips need to be passed to the juniper firewall in unnumbered mode. Any further ideas? YeOldeStoneCat, are you able to assist via chat or phone call outside this forum? Like I said, I have a juniper expert as well as a linux/network guru onsite and they can't get this SMC box to work.