Comcast business internet - migrating away from static IPs

[Ryom]

So here's my conundrum. I have Comcast business internet with 5 static IP addresses to host a few servers. Servers that I no longer am running. I'd like to drop the static addresses so I can save $20 a month AND so that I can use my own modem (Comcast forces you to RENT their modem to use static addresses for $12.95 PER MONTH) for a total substantial savings of ~$33 per month. However, I'd still like to have at least one internet routable address (i.e., not a 192.168.x.x or 10.x.x.x, etc) assigned to my personal PC to host various servers. My other equipment can connect via NAT'd addresses.

So I haven't actually had to toy with network configuration for over a decade now and I'm not certain of what I'm doing anymore. Is there a way I can assign the dynamic routable IP I get to my PC (via DMZ perhaps?) so I can host services without any drama and have my other equipment use internal addresses (192.168.x.x) to get internet service? How would I set this up?

 

[swatbat]

Just use something like no-ip to handle a host name to dynamic public address. You can then use port forwarding to send whatever ports you want to an internal static IP address.

You can also drop the comcast support down to a single static ip and save like 15 bucks a month. If you drop the just normal business server they still want you to use their modem though. FYI if you get a single static IP they really give you 2. One for their modem which you can open ports in and put something on and one for your device behind it.

 

[diizzy]

If you want something more reliable gandi.net supports ddns using their API if I'm not mistaken.
//Danne

 

[mwarps]

You cannot assign the public IP to your computer unless it is directly connected to the modem (and that's assuming you have a real modem not a router, which is quite common now-a-days) and direct connecting an end-user computer (likely a windows machine, reading this thread) is a laughably awful idea.

Just a question - why is port forwarding and DDNS "drama" - this has been standard practice for almost 20 years.. if this is drama, then you really shouldn't ever put a computer with a routable address on the internet.

 

[Nexillus]

I am currently using DDNS via Cloudflare API for a server I run outof my house. The most it goes down is 5 minutes if the IP changes and my script hasn't yet run. Of course you have to set a port forward through the router to access which ever port on the host machine.

 

[CopyRunStart]

With Comcast Business class you can in fact have a public IP on your PC. As long as there is no router between you and the modem as mwarps said.

Can you explain why you want the whole PC exposed to the internet? Let's say you're hosting a web server that works on port 80: It would be very easy for you to tell the router to send all traffic incoming on port 80 to your public IP to be forwarded to your web server. Five minutes of config at most. Post your router model and I'll show you how easy it is.

 

[FrgMstr]

Just use something like no-ip to handle a host name to dynamic public address. You can then use port forwarding to send whatever ports you want to an internal static IP address.

I do this and it works awesomely. Like mentioned above as well if the issue of the IP changing, but I have seen the better part of a year go by with my IP never changing on FIOS.

 

[dandragonrage]

ZoneEdit here... plain DDNS services are much less useful, IMO. I get tons more functionality from ZE. And I use my own domain (which itself is <$1/mo), not some stupid n3487023467280.stupiddyndnshostname.net garbage.

 

[Biznatch]

ZoneEdit here... plain DDNS services are much less useful, IMO. I get tons more functionality from ZE.

Same here. Been running my own exchange server for years now.

 

[Ryom]

You cannot assign the public IP to your computer unless it is directly connected to the modem (and that's assuming you have a real modem not a router, which is quite common now-a-days) and direct connecting an end-user computer (likely a windows machine, reading this thread) is a laughably awful idea.

Just a question - why is port forwarding and DDNS "drama" - this has been standard practice for almost 20 years.. if this is drama, then you really shouldn't ever put a computer with a routable address on the internet.

I'm sure I don't have to repeat that NAT is not a firewall, and if you are relying on your NAT to act as a firewall that is a terrible idea. Better a PC with a routable address and a properly configured firewall and an attentive user than someone just depending on NAT to keep them "safe". Regardless of if you are NAT'd or not, if someone who really knows what they are doing wants into your network, they'll get in. A proper firewall and an up to date OS will stop the script kiddies.

The drama comes from maintaining the port forwarding list, programs that use unspecified or random ports and general headaches that come with NAT. I'm a big fan of the KISS philosophy and NAT is not KISS. I'll occasionally run various servers for use, for example: PLEX, Splashtop, FTP, bittorent, various game servers. I have dreamhost for my webserver. Anything not in use is shut down. The internet was designed to be connected to routable addresses end to end and we shouldn't be afraid of that. I can't wait for the day that IPv6 is in widespread adoption all the way down. I still run into issues connecting to friends who are behind NAT to this day, and I always offer to host because my connection just works. The way we get around NAT issues is to use technology that comes with it's own security holes, like uPNP... kind of silly isn't it?

Thanks to everyone that contributed to the thread, I'll have a look at the options and see if I can't save myself some scratch every month. I think it's criminal how Comcast is using bogus "equipment rental" fees ($155 a year to "rent" a $75 gateway you'll have for at least 2-3 years) to sneak in rate hikes. They've been jacking the "rental" fee up regularly and they show no signs of stopping. They're going to keep going until some state AG slaps them down for it. For now, get your own modem if it's an option for you!

 

[Liger88]

I'm sure I don't have to repeat that NAT is not a firewall, and if you are relying on your NAT to act as a firewall that is a terrible idea. Better a PC with a routable address and a properly configured firewall and an attentive user than someone just depending on NAT to keep them "safe". Regardless of if you are NAT'd or not, if someone who really knows what they are doing wants into your network, they'll get in. A proper firewall and an up to date OS will stop the script kiddies.

NAT isn't a firewall and I don't think that would ever be advised here. But, it is a good basic starter for those who aren't familiar with networking. Just adding NAT in consumer routers that flooded the market in the early 2000's cut down on A LOT of crap. I don't know how many are familiar with those days long ago, but it was pretty goddamn bad. Software will always be exploitable and holes exist that may never be found. That's the game. A routable IP with a properly configured router is no better than a consumer pre-configured cheapo firewall and NAT. If you're a bigger attack vector you're still at more risk. I mean a DDoS attack that can be rented by pissed off gamers these days, is unstoppable no matter what you do in reality.

A firewall is a firewall and is just a piece of software like NAT. Properly configured it'll do the job regardless. The point I think people are making is why unnecessarily expose yourself further if you don't need to.

The drama comes from maintaining the port forwarding list, programs that use unspecified or random ports and general headaches that come with NAT. I'm a big fan of the KISS philosophy and NAT is not KISS. I'll occasionally run various servers for use, for example: PLEX, Splashtop, FTP, bittorent, various game servers. I have dreamhost for my webserver. Anything not in use is shut down. The internet was designed to be connected to routable addresses end to end and we shouldn't be afraid of that. I can't wait for the day that IPv6 is in widespread adoption all the way down. I still run into issues connecting to friends who are behind NAT to this day, and I always offer to host because my connection just works. The way we get around NAT issues is to use technology that comes with it's own security holes, like uPNP... kind of silly isn't it?

I get that. Tracking ports down can be painstaking sometimes when they're not readily available. NAT isn't really that complicated to set up though even on high-end professional grade tens of thousands of dollar routers. The basic formula is: A) Create a list of IP's to translate B) Write a rule to translate those IP's to the one public using PAT C) Apply your settings and if necessary add a firewall rule for the ports and services.

If NAT is too complicated that should be something you conquer. I do understand the simplicity of not using NAT and I'm pretty sure you're just more fed up with the hassles of NAT than not understanding it. For simply VOIP and VPN's alone NAT needs to die. It did us well these past couple decades. I think the uPnP thing is being overblown. Numerous reports came out clarifying it was a failed implementation (mostly in consumer level gear) where a few venders and models were allowing uPnP to traverse outside the local network. By design that's not how it was intended. It's a failed implementation of the protocol that was probably as simple as removing a line of code unless they completely borked it. Nothing is fundamentally wrong with uPnP. The assumption is relational to your thinking that NAT is flawed and no better than using a public IP. If configured correctly it's fine, although from a security standpoint it is less control and networking nerds hate that.

Also I should mention, the original design of the Internet was routable IP's based on zones, but things changed and that's why we are here. That is no longer the case whatsoever and thank god it isn't. IPv4 is a broadcast design. The clusterfuck that would occur would be incredible.

Thanks to everyone that contributed to the thread, I'll have a look at the options and see if I can't save myself some scratch every month. I think it's criminal how Comcast is using bogus "equipment rental" fees ($155 a year to "rent" a $75 gateway you'll have for at least 2-3 years) to sneak in rate hikes. They've been jacking the "rental" fee up regularly and they show no signs of stopping. They're going to keep going until some state AG slaps them down for it. For now, get your own modem if it's an option for you!

I feel your pain. One of the reasons I refuse to go Comcast Business is because I have to rent their own stupid modem just to do it getting back on the fees. It's a shame they couldn't offer devices capable of doing what you want done (perhaps a multi-port modem or sorts?). If they actually did something constructive for their customers they probably wouldn't be the most hated monopoly in America.

 

[GotNoRice]

For what it's worth, I also have Comcast Business, and also had to switch to a "dynamic" IP so that I could use my own modem. The Dynamic IP I was assigned however, has not changed since the day I got it - years ago. I don't even bother with DDNS since it is essentially static. I have heard this is pretty common for business customers.

 

[feffrey]

For what it's worth, I also have Comcast Business, and also had to switch to a "dynamic" IP so that I could use my own modem. The Dynamic IP I was assigned however, has not changed since the day I got it - years ago. I don't even bother with DDNS since it is essentially static. I have heard this is pretty common for business customers.

Same, except mine changed once but that is it.

 

[moose517]

yeah when i had comcast business with my own modem my IP never rolled, even moving houses across town! having a few static IP's would be nice but not at the cost of having to use their modem, NAT is good enough.

 

[PigLover]

Its pretty common for Comcast consumer accounts too. IP address assignments from them are very sticky. If you are using IPv6 it is true for their prefix assignments too. I'm over 3 years on the same IPv4 address and have had the same IPv6 prefix assignment since I set it up early this year.

 

[Ryom]

OP here. I've dropped the static IPs and had them register my personally owned modem. Kept the business account since they don't mess with your connection, rather than go all the way down to residential. I hear there is a speed upgrade in the works that's already hit the residential plans and is to be rolled out to business accounts. Feels nice to drop my internet service bill from $103 to $70

I dropped my PC in the DMZ on my router and so far everything is running smoothly. Haven't had any issues with hosted servers so far and my router has NAT pass-through for VPN connections.