Comcast Business Gateway to router

Jakobud

n00b
Joined
Nov 9, 2010
Messages
10
At our small business we have a Comcast Business Gateway. It's an SMC. Behind the gateway, we have a small Cisco Business Router (RVS4000). The IPs are setup like this:


Internet----> 50.130.xx.xx [ SMC Gateway ] 10.1.10.1 --------> 10.1.10.10 [ Cisco Router ] ---->network

50.130.xx.xx is static.

We have an OSX Server with file sharing (AFP protocol) behind the Router that we need remote employees to be able to access. So I setup this so far:

SVa8gxo.jpg


AFP uses port 548. So when someone access our static ip address in OSX Finder (Go > Connect to Server), the Gateway should forward the request to 10.1.10.10, the Cisco Router.

Next on the Cisco Router:

9jP0feq.jpg


So now the Cisco router should be forwarding the request to the OSX Server (192.168.1.34 on the local network).

However, when attempting to access via AFP remotely, it just times out. Do I have this setup correctly? Am I doing anything wrong?

Alternatively, is it possible to setup the Gateway so that all requests basically go right through and ignore the Gateway's firewall and just use the Cisco Router?
 
Joined
Mar 17, 2011
Messages
14
At our small business we have a Comcast Business Gateway. It's an SMC. Behind the gateway, we have a small Cisco Business Router (RVS4000).

50.130.xx.xx is static.

Alternatively, is it possible to setup the Gateway so that all requests basically go right through and ignore the Gateway's firewall and just use the Cisco Router?

Cut out a good deal from the quote. Use your usable Static IP and bypass the SMC for sure.

If say, 50.130.100.100 is your SMC gateway. You can assign the following to your WAN interface on your Cisco (this assumes that you only purchased a single Static IP from Comcast Business):

Interface IP: 50.130.100.99
Subnet Mask: 255.255.255.252
Gateway IP: 50.130.100.100
DNS (whatever you see fit...Comcast's are 75.75.75.75 and 75.75.76.76)
 

Nate7311

2[H]4U
Joined
Jan 11, 2001
Messages
3,320
What Jiveturkeyfive said. Only I'd recommend againsts Comcast's DNS servers. Typically overloaded, slow and occasionally have outages. Most around here recommend either OpenDNS or Google.
 

FrEaKy

[H] Movie and TV Show Review Guy
Joined
Jan 31, 2003
Messages
13,858
What Jiveturkeyfive said. Only I'd recommend againsts Comcast's DNS servers. Typically overloaded, slow and occasionally have outages. Most around here recommend either OpenDNS or Google.

OpenDNS if you need to block sites and whatnot, Google is great for everything otherwise! :)
 

Grentz

Fully [H]
Joined
May 5, 2006
Messages
17,208
Why are you using AFP over a public network? AFP is not nearly secure enough to just openly route over the internet.

Look into a VPN solution please!
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
Yeah... use a VPN. If you need something dead simple for employees, look into OpenVPN Access Server. Works very slick.
 

Jakobud

n00b
Joined
Nov 9, 2010
Messages
10
Cut out a good deal from the quote. Use your usable Static IP and bypass the SMC for sure.

If say, 50.130.100.100 is your SMC gateway. You can assign the following to your WAN interface on your Cisco (this assumes that you only purchased a single Static IP from Comcast Business):

Interface IP: 50.130.100.99
Subnet Mask: 255.255.255.252
Gateway IP: 50.130.100.100
DNS (whatever you see fit...Comcast's are 75.75.75.75 and 75.75.76.76)

Okay I was reading something about this kind of setup, but it made me think that you needed to have two static IPs. I guess that assumption was incorrect. Why is it that setting our router up with a static IP that is 1 IP address smaller than our public IP, makes the gateway get skip on inbound requests?

Also, I've only ever worked with (and have basic understanding of) subnet masks for 255.255.255.0. What is the 255.255.255.252?

Also, I highly agree regarding the VPN and AFP. This is just temporary as I'm taking over for a previous IT guy at the company and the remote employees just need quick access right now.

Thanks!
 

Jakobud

n00b
Joined
Nov 9, 2010
Messages
10
Okay I have setup everything as you recommended. My router's WAN IP is now 1 IP address lower than our public static IP. Subnet Mask is 255.255.255.252. The Gateway is set to our public static IP. And I went ahead and went with Comcast's DNS servers for now.

Now, when I access our public IP address in the browser, I was expecting to see the login for our Cisco Router's admin page, but I still see the login for the Comcast/SMC Gateway/modem. I thought the point of the above configuration was so that requests skip the Comcast box. Did I misunderstand something? I can provide some screenshots of stuff if that helps, just let me know what you need.

Thanks again.
 

ND40oz

[H]F Junkie
Joined
Jul 31, 2005
Messages
12,424
You're not going to skip the comcast gateway, that's how you're going to utilize your public IPs. You buy a block of IPs from comcast of either 1, 5 or 13 IPs, in addition to that block, you get the gateway IP. That's where your subnet mask comes into play, your mask is dependent on how big a block of the subnet you have. How many static IPs did you purchase from Comcast?
 
Joined
Feb 22, 2009
Messages
928
personally I would ask comcast to bridge it because I had TWC bridge my Moto Surfboard so I can get my static IP's to my routerboard. I have 5 static IP's on my routerboard but I can not login to the surfboard anymore after it was bridged. But I would get it bridged to safe you some time and pain.
 
D

Deleted member 214115

Guest
Why are you using the SMC device to perform NAT? How come you do not bridge it (if it is a multifunctional device Modem/router)? Or is there something I am missing here?
 
Joined
Feb 22, 2009
Messages
928
comcast haves to setup bridge you cant do it just stop pissing with it at comcast modem and have comcast bridge it.
 

4saken

[H]F Junkie
Joined
Sep 14, 2004
Messages
11,878
I called Comcast Biz and had them setup bridge mode so it just all goes right through to my router.
 
Joined
Mar 17, 2011
Messages
14
A few of the replies you're getting are a bit misguided. If your SMC was put into bridge mode you would not be able to route the Public Static IPs that you purchased from Comcast. It would bridge the device to the WAN interface on your Cisco and you would pull a public IP, sure, but it would be a Dynamic IP from Comcast.

You're realistically assigned 4 IP addresses when you purchase a single usable Static IP. The subnet is a /30, or 255.255.255.252, so two of the addresses are immediately used for network/broadcast. Your usable/assignable IP (from our example, 50.130.100.99) is free to use however you see fit. The gateway IP (again, from our example, 50.130.100.100) is configured onto the SMC and allows for you to route your usable Static IP (note, a bridge mode loses this configuration). Both 50.130.100.100 and 50.130.100.99 are publicly accessible when both are assigned (one configured to the SMC, one configured to your network).

You could do standard port forwards to devices behind the SMC's NAT and publicly access those devices using 50.130.100.100. 9 out of 10 times, you won't have a use for this. It doesn't really hurt anything to leave NAT enabled on the SMC (Comcast Business tech support reps have the login to disable it). Once you have assigned 50.130.100.99 to your Cisco, that is your public IP. You no longer need to use 50.130.100.100 for anything unless you specifically configure something behind its NAT. Devices that are behind your Cisco's NAT will report 50.130.100.99 as their IP if you check whatsmyip.org or the likes.

When you are using your assignable Static IP (50.130.100.99) there is no longer anything at play as far as firewall/NAT goes from the SMC *on* the device using 50.130.100.99. Your traffic is simply routed through. It is, for all intents and purposes, a bridge mode.

Hope that helps to clear it up...
 
Last edited:

Grentz

Fully [H]
Joined
May 5, 2006
Messages
17,208
Even temporarily this is a horrible idea. Seriously, this is the internet. Someone could find it in minutes and start exploiting your files and information.

I am being a stickler about this as its not only your data, it is other people's (coworkers, company, customers) that you are putting at risk.
 
Joined
Mar 17, 2011
Messages
14
Even temporarily this is a horrible idea. Seriously, this is the internet. Someone could find it in minutes and start exploiting your files and information.

I am being a stickler about this as its not only your data, it is other people's (coworkers, company, customers) that you are putting at risk.

Yea. I really haven't stressed this a ton as I've focused on getting you to use your Static IP. But maybe start here if you're concerned about the technical side setting up a VPN... - https://openvpn.net/index.php/access-server/docs/quick-start-guide.html
 

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
9,330
Why in the hell are you using the SMC as your router/firewall... Have comcast put it in BRIDGE mode and use your own router and firewall. Comcast does not block ports and they do not secure any transmission with that gateway in bridge mode.

I know I have C business class and I am using a Cisco 1921 ISR G2 with IOS Zone Firewall and the SMC is just in vanilla cable modem mode.
 
Joined
Mar 17, 2011
Messages
14
Why in the hell are you using the SMC as your router/firewall... Have comcast put it in BRIDGE mode and use your own router and firewall. Comcast does not block ports and they do not secure any transmission with that gateway in bridge mode.

I know I have C business class and I am using a Cisco 1921 ISR G2 with IOS Zone Firewall and the SMC is just in vanilla cable modem mode.

With Comcast Business Static IPs you can't be in a full on bridge mode...In your scenario, you're either paying for Static IPs and not using them or you are using a dynamic IP.
 

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
9,330
im paying for static. I see you must not be. ok

And yes I am in full bridge mode.
 
Joined
Feb 22, 2009
Messages
928
well you can have both static IP and dynamic IP but if you go this route it will mess up ur static IP's inside of ur modem. Its best just go straight bridge mode.
 

maw

Supreme [H]ardness
Joined
Sep 27, 2000
Messages
4,134
Why in the hell are you using the SMC as your router/firewall... Have comcast put it in BRIDGE mode and use your own router and firewall. Comcast does not block ports and they do not secure any transmission with that gateway in bridge mode.

is this something that can only be done on Comcast's end? Or is it just a matter of configuring the correct settings in the SMC? The reason I'm asking is that I have admin access to the SMC, and if I could avoid waiting on line to talk to someone competent, I would be more than happy to apply the settings myself.

I have tried tinkering with the SMC setting to see if I would disable the router functionality, but no luck so far.
 

athlon1.2

Supreme [H]ardness
Joined
Oct 10, 2001
Messages
5,489
If you have the msoadmin password (it's the same for everyone for SMC 8014) then you can telnet in and disable RG mode. But AFAIK it will not work for static IP! You do get 5 dyamic IP if you don't pay for any static.
 

maw

Supreme [H]ardness
Joined
Sep 27, 2000
Messages
4,134
If you have the msoadmin password (it's the same for everyone for SMC 8014) then you can telnet in and disable RG mode. But AFAIK it will not work for static IP! You do get 5 dyamic IP if you don't pay for any static.

I don't have the main admin password. I'll just give them a call later today.

Thanks
 

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
9,330
Give them a call they can convert it. Also make sure they turn off all dhcp including dns distribution or whatever it is called in that smc box.
 

maw

Supreme [H]ardness
Joined
Sep 27, 2000
Messages
4,134
Give them a call they can convert it. Also make sure they turn off all dhcp including dns distribution or whatever it is called in that smc box.

I called Comcast Business and the person I spoke with was adamant that the router features of the SMC box cannot be disabled. It figures I'd get "that guy" :rolleyes:

Anyway, I found a workaround to my problem (DDNS on my router keeps updating my IP address to the internal LAN address of the SMC instead of the real Internet IP, which makes routing traffic to my web server problematic).
I disabled the DDNS feature in my router and installed an IP Update software tool on the server instead. I also went into the SMC box and put my router's LAN IP address in the DMZ. Everything seems to be fine now.
 
Last edited:

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
9,330
Call and ask fo a higher tier.... they lied to you ... adamant my ass.. I am sitting here telling you right now that I am running mine in 100% bridge mode. That guy at comcast is an absolute utter fool.

Now even in bridge mode it is a router techincally it is just passing everything through and doing ZERO NAT. You can even log in and turn off natting etc... your-self using ... 10.1.10.1 cusadmin/hispeed or highspeed cant remember exactly.

Dig around and learn whats inside it's extremely limited interface.
 
Last edited:

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
Call and ask fo a higher tier.... they lied to you ... adamant my ass.. I am sitting here telling you right now that I am running mine in 100% bridge mode. That guy at comcast is an absolute utter fool.

Now even in bridge mode it is a router techincally it is just passing everything through and doing ZERO NAT. You can even log in and turn off natting etc... your-self using ... 10.1.10.1 cusadmin/hispeed or highspeed cant remember exactly.

Dig around and learn whats inside it's extremely limited interface.

They use RIP to route your statics to your modem. They can't disable routing on them. This may differ between regions, not sure.
 
Last edited:
Joined
Mar 17, 2011
Messages
14
They use RIP to route your statics to your modem. They can't disable routing on them. This may differ between regions, not sure.

It's RIP in every region.

Call and ask fo a higher tier.... they lied to you ... adamant my ass.. I am sitting here telling you right now that I am running mine in 100% bridge mode. That guy at comcast is an absolute utter fool.

Now even in bridge mode it is a router techincally it is just passing everything through and doing ZERO NAT. You can even log in and turn off natting etc... your-self using ... 10.1.10.1 cusadmin/hispeed or highspeed cant remember exactly.

Dig around and learn whats inside it's extremely limited interface.

Asking for a higher tier will get you nowhere.. they are not customer facing and you're just wrong.

Static IPs will not route if the SMC is placed into a bridge mode, plain and simple. A full on bridge mode, mind you, means that the SMC is effectively a surfboard/pure passthrough device. All of the configuration that goes onto the SMC when it's set up to route Static IPs goes away in a bridge mode. While *not* in bridge mode, you CAN have NAT disabled, the firewall disabled to the True Static IPs, and LAN DHCP disabled. You CANNOT have a bridge mode while using Public Static IPs.

If you have Static IPs, you have to manually configure your network to utilize the addresses...can't be any clearer on it that.

If you're truly confident that you know what you're talking about, PM me one of your Static IPs and I'll prove you wrong. If you haven't purchased a Static IP for your Comcast Business account, please stop lecturing the guy who has (the OP) on how to configure his network.
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
Hey jiveturkeyfive, since you work for CC, how do they route those IPs to you? I know they use RIP, but I can't wrap my head around how they can allow static IPs behind the gateway while still allowing DHCP and NAT for PCs using DHCP. Do you have a rough diagram on how everything is setup and IP'ed? I've asked this question before with no response.

I understand routing from the customer side where the ISP has their stuff setup properly, I just don't quite understand how it looks from the ISP side.

Maybe I'm missing something dumb here and it's not clicking.

PM if it's more appropriate than hijacking in here, but it could be useful info for all.
 
Top