Routing a static IP

TeeJayHoward

Limpness Supreme
Joined
Feb 8, 2005
Messages
11,603
I've got a Comcast business connection with a static IP that I'm finally getting around to setting up. On my old connection, I used the modem as a gateway and set up port forwarding. There was only 1 static IP assigned. It was assigned to the modem. Everything worked, and the world was good. On the new connection, the same setup works, but my gateway IP and my assigned static IP are different. I suppose my external gateway IP could change one day. Am I supposed to plug in a device of my choice into the modem, assign it the static IP I was given, and route my traffic through there instead? Like... Without NAT?

tl;dr: External gateway IP and assigned static IP do not match. What do?
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
mmmm

you have just 1 static IP? are you sure "external gateway" isn't supposed to be the default gateway for your static?

or do you have an additional static network that you're supposed to route?
 

michalrz

2[H]4U
Joined
Jun 4, 2012
Messages
3,670
Yeah, not a 100% clear explanation.

I think you're asking about ip passthrough?
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
well the ISP can provide you with a static IP along with a static network for YOU to route through it (or they sometimes offer an on-prem router for this)

i have a centurylink DIA set up this way... i like providing the router that way i have an extra usable IP

whereas TWC DIA i have they just give you a range, a bit simpler
 

TeeJayHoward

Limpness Supreme
Joined
Feb 8, 2005
Messages
11,603
Yeah, not a 100% clear explanation.
All righty, my bad. Lemme try again.

Static IP given to me by comcast: 1.2.3.4
External IP on the modem: 1.2.3.5

Simplified network layout: Modem (1.2.3.5 / 192.168.0.1) -> Server (192.168.0.2), with port 80 passed through

If I try to access my web server from outside my network I can only do it from the modem's IP (1.2.3.5), NOT from the static IP Comcast gave me (1.2.3.4). Am I supposed to give the server the 1.2.3.4 IP instead of 192.168.0.2?
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
mmmmm, still not clear, maybe because of the fake IPs... are they on the same subnet?

what is the subnet mask for both IPs?
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
mmm, looks like you just have dhcp still enabled on your router.... and somehow that works still...

router should be set up with a static WAN for that .245, with default gateway of .246, instead.... of what you have

your "WAN Default Gateway Address" should be what your WAN IP Address is, and WAN IP address should be .245

if you manually set that and it still doesn't work it seems like they may have your service configured improperly... really shouldn't have a dhcp address on your modem (DHCP Client should be disabled, at least for ipv4)


EDIT: or.... wait a minute... is this your router? it's possible you should have another router behind this one...
 

TeeJayHoward

Limpness Supreme
Joined
Feb 8, 2005
Messages
11,603
or.... wait a minute... is this your router? it's possible you should have another router behind this one...
That's the cable modem/router. The only one in the network. Behind that I have a server. The more I think about it, the more I think that the cable modem should be set up in bridge mode, and I should have a firewall/router/etc sitting behind it with the .245 IP.
 
Last edited:

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
That's the cable modem/router. The only one in the network. Behind that I have a server. The more I think about it, the more I think that the cable modem should be set up in bridge mode, and I should have a firewall/router/etc sitting behind it with the .245 IP.
so, what kind of address does that server have on it? a local?
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
As GC asked above, were you given a netmask along with the IP?
they gave him a /30, told him to use .245 ip and that his default gateway was .246....

but he showed the config on his modem/router that it had the .246 ip as it's WAN address, with it's own default gateway on another subnet (iirc)

edit: well it would have had to have been another subnet due to no ip space left... that's what was weird about it
 
Last edited:

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
The more I think about it, the more I think that the cable modem should be set up in bridge mode, and I should have a firewall/router/etc sitting behind it with the .245 IP.

i think this is likely the answer, btw...

but depends on what that modem/router can support... if it's got multiple separately configurable ports (not just a switch internally) or the ability to do vlans, you could conceivably configure it to do both... run a private network as well as routing through to a 2nd publicly addressed network...
 

SJConsultant

2[H]4U
Joined
Jan 14, 2004
Messages
3,600
Let's say Comcast assigns you a static IP of 203.0.113.1/30 as your static IP and a default gateway of 203.0.113.2 . Typically the gateway IP address is assigned directly to the Comcast cablemodem and yes you can use the cable modems control panel to perform simple port forwarding using 203.0.113.2 as the outside ip address to an internal private IP.

Now if you take your own firewall with assign the WAN interface an address of 203.0.113.1/30 with a default gateway of 203.113.2 and plug that into the cablemodem, the cablemodem is smart enough to bridge the traffic on that port.

In essence you really have two static IPs you can utilize, the gateway IP (203.0.113.2) can be port forwarded to the private ip address, and the assigned static IP (203.0.113.1) you can assign directly to another device such as a firewall
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
824
I'll premise this by saying I have no idea how comcast does things. That said, most enterprise class ISPs will route a customer IP block to the WAN address of the customer premise router which is not included in assigned block. Typically a /30 would be used between the access router and the customer prem wan side router interface. The IP block purchased/rented or otherwise paid for by the customer would be routed by the ISP to the WAN IP of the customer router leaving the customer to use their /xx anyway they like.

Using 1918 vs public addresses for example:

Access network - 192.168.1.0/30
Customer static - 10.1.1.0/30

AR --- 192.168.1.1 ----------------------- 192.168.1.2 --- CR --- Internal network

In the above example the ISP would route 10.1.1.0/30 to 192.168.1.2. The customer could then from the CR route the block further into their network or assign one IP to a DMZ interface and the other to a server or use both IPs to static NAT to internal hosts or whatever else they like. The point being if a customer buys/rents a /xx the ISP should not be using any the customer's IPs for management.
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
Let's say Comcast assigns you a static IP of 203.0.113.1/30 as your static IP and a default gateway of 203.0.113.2 . Typically the gateway IP address is assigned directly to the Comcast cablemodem and yes you can use the cable modems control panel to perform simple port forwarding using 203.0.113.2 as the outside ip address to an internal private IP.

Now if you take your own firewall with assign the WAN interface an address of 203.0.113.1/30 with a default gateway of 203.113.2 and plug that into the cablemodem, the cablemodem is smart enough to bridge the traffic on that port.

In essence you really have two static IPs you can utilize, the gateway IP (203.0.113.2) can be port forwarded to the private ip address, and the assigned static IP (203.0.113.1) you can assign directly to another device such as a firewall
this seems quite feasible to me...
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
The point being if a customer buys/rents a /xx the ISP should not be using any the customer's IPs for management.
definitely not always the case... have a TWC Fiber DIA that is configured exactly that way... first usable is the gateway (i guess that makes it not a usable :/ )

i've also got a CenturyLink DIA configured the way you describe

they can do it either way...
 

SJConsultant

2[H]4U
Joined
Jan 14, 2004
Messages
3,600
Here is how Comcast does static IPs in the South Jersey/Philly region.....

Business Class/Cablemodem
You'll purchase your choice of static IP options, a /30 (one useable) ,/29 (5 useable), /28 (13 useable) etc.....

/30 - One IP is assigned to the cablemodem to serve as the default gateway. The other IP is statically entered onto your device and the device gets plugged directly into the cablemodem.
/29 - One IP is assigned to the cablemodem to serve as the default gateway. The other 5 IPs are statically entered onto your device (or devices) and they get plugged directly into the cablemodem.
/28 - One IP is assigned to the cablemodem to serve as the default gateway. The other 13 IPs are statically entered onto your device (or devices) and they get plugged directly into the cablemodem.

If you know CIDR, then you'll realize that a /30 is two usable IPs, /29 is 6 useable IPs, and a /28 is 14 useable IPs. Comcast always uses one of those IPs as the default gateway for the rest of the IP block.


For EDI (Enterprise) internet, you'll receive two ip blocks, the first block is a /30 , one IP for Comcast and the other for your routing device. Once you have established connectivity, Comcast will route your static IP block down to you with a next hop of your routing device. In this manner, you have full usage of all IPs for a /29,/28,/27, etc.

Keep in mind with EDI, you can use the /30 static IP and do some port forwarding for an extra IP address, but I generally recommend not doing that as if you ever need to change the circuit or port the IP block, you'll need to change out your /30 which in turn means updating any DNS records, or other configurations associated to it.

Source: I work for an educational IT provider and have moved many edu's over to our internet services which is built on top of Comcast Metro Ethernet.
 

Raekwon

2[H]4U
Joined
Nov 29, 2001
Messages
2,054
I've worked with a variety of providers using a /30 - /28 and we had our device using one offer the assignable IPs and point a default route towards the provided gateway, one of the IPs in the usable space of your subnet. Pretty much what SJConsultant said.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
824
I've worked with a variety of providers using a /30 - /28 and we had our device using one offer the assignable IPs and point a default route towards the provided gateway, one of the IPs in the usable space of your subnet. Pretty much what SJConsultant said.

I don't think you understand basic routing or you're not describing the experience correctly. This is what you are describing:

AR-O ----link---- O-CR-I


Static block 192.168.1.0/30

AR-O 192.168.1.1 255.255.255.252 **** must be case per your description and routing 101 ****
CR-O 192.168.1.2 25.255.255.252 ***** as you describe ****
Default Route on CR = 192.168.1.1

If the ISP uses an address from the /30 for the external interface of the CR the other address must be used on the other side as the default route. This is basic routing 101 as you cannot route to an off network IP.No address remains for customer use. This method provides only a static address on the CR's external interface. This is useful yes, but barely worth paying for.


If your ISP is doing this then the minimum useful size of a static block is a /29 subnetted to 2 /30s. One /30 is used for the link the other is left for the customer's own use. The downside is that now 6 pricey IP addresses have been wasted vs 2.

It makes far more sense for the customer router's external interface to be assigned a link address not out of the customer rented block. If your access link is DOCIS then this would likely be a static or DHCP reserved addreess out of a larger subnet ie a /21.

As previously stated I have no experience with Comcast but I do have multiple private circuits and a DOCIS connection in my lab from TWC, AT&T and Verizon and each them do things the way I describe. The link IPs, and thus my default, are all separate and non contiguous from my leased blocks.
 

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,498
When you are given a static IP address from your ISP, you are actually given 2 IP addresses from a /30 block. You need 2 IP addresses because 1 IP address is used as a default gateway (ISP equipment) for your router, and the other IP address is used as a WAN IP address for your device.

For example, 1.2.3.4/30 (1.2.3.4 is your network ID, 1.2.3.7 is your broadcast - 1.2.3.5 and 1.2.3.6 are your usable IP addresses). Your ISP is already using 1.2.3.5, leaving you only able to use 1.2.3.6 on your WAN interface.

If you purchased additional blocks of IP addresses (say, something like 24.19.10.64/28 -> Giving you 14 additional usable IP addresses), your ISP will route that traffic to their gateway most likely with a dynamic routing protocol like BGP. You would need to set any of those IP addresses you want to use on your router so your device responds to ARP on that interface. These are generally virtual interfaces for simplicity sake.

From that point, you rely on your firewall/router for the NAT/firewall ACLs to permit inbound traffic from the untrusted internet zone (WAN). The destination IP address in the packet never changes and will be 1.2.3.6 until it traverses a NAT rule, which will be your firewall and it will translate that IP address to the private inside your network, where it would then be translate the SOURCE IP to 1.2.3.6 for any return traffic.

TL;DR - You can't use the ISPs address of 1.2.3.5 because it is already being used by their node, which is the gateway your router is using to reach the internet. All devices must have a gateway of some sort to communicate with other networks, otherwise they can only communicate with other devices on their same subnet. If the device is trying to send a packet to 15.20.30.40 it uses its default gateway (Your ISP - 1.2.3.5) to get there.
 
Last edited:

Nicklebon

Gawd
Joined
May 22, 2006
Messages
824
If you purchased additional blocks of IP addresses (say, something like 24.19.10.64/28 -> Giving you 14 additional usable IP addresses), your ISP will route that traffic to their gateway most likely with a dynamic routing protocol like BGP. You would need to set any of those IP addresses you want to use on your router so your device responds to ARP on that interface. These are generally virtual interfaces for simplicity sake.

Big heaping tablespoon of NO!

The additional blocks are routed to the outside interface of your router aka the wan interface. Once they hit that interface you can route the block or subnet thereof anywhere you like. You most certainly don't need to ARP respond since the IPs are routed directly to the interface. That said if you are using some ancient firewalls and are using some these IPs for static NAT then proxy ARP may be needed. I've not seen need for that however since very early Check Point days.
 

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,498
Thank you, Nicklebon - I misspoke.

What I meant to say is that the ISP will route all destination traffic to your router as the next hop for that traffic. When you are using NAT in this example, your router/firewall will respond because you are NAT'ing the traffic through. If you are doing passthrough, the firewall will not respond in this way.
 

Raekwon

2[H]4U
Joined
Nov 29, 2001
Messages
2,054
I don't think you understand basic routing or you're not describing the experience correctly. This is what you are describing:

AR-O ----link---- O-CR-I


Static block 192.168.1.0/30

AR-O 192.168.1.1 255.255.255.252 **** must be case per your description and routing 101 ****
CR-O 192.168.1.2 25.255.255.252 ***** as you describe ****
Default Route on CR = 192.168.1.1

If the ISP uses an address from the /30 for the external interface of the CR the other address must be used on the other side as the default route. This is basic routing 101 as you cannot route to an off network IP.No address remains for customer use. This method provides only a static address on the CR's external interface. This is useful yes, but barely worth paying for.


If your ISP is doing this then the minimum useful size of a static block is a /29 subnetted to 2 /30s. One /30 is used for the link the other is left for the customer's own use. The downside is that now 6 pricey IP addresses have been wasted vs 2.

It makes far more sense for the customer router's external interface to be assigned a link address not out of the customer rented block. If your access link is DOCIS then this would likely be a static or DHCP reserved addreess out of a larger subnet ie a /21.

As previously stated I have no experience with Comcast but I do have multiple private circuits and a DOCIS connection in my lab from TWC, AT&T and Verizon and each them do things the way I describe. The link IPs, and thus my default, are all separate and non contiguous from my leased blocks.

We do have a handful of single static IPs where a firewall sits with an outside interface, default route out that interface and an ISP modem on the other end. Besides chunking out half the space for the ISP side of that, how does it not work and how do I not understand routing? I would keep the insults to yourself next time.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
824
We do have a handful of single static IPs where a firewall sits with an outside interface, default route out that interface and an ISP modem on the other end. Besides chunking out half the space for the ISP side of that, how does it not work and how do I not understand routing? I would keep the insults to yourself next time.

What I said was you didn't understand basic routing OR you didn't describe your situation correctly. Hardly an insult since you came back and clarified your description. RIF

I still contend that using IPs that are non contiguous to the customer's leased block for link addressing is the sop for every ISP I've dealt with which, as I stated plainly and clearly, does not include Comcast.
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
What I said was you didn't understand basic routing OR you didn't describe your situation correctly. Hardly an insult since you came back and clarified your description. RIF

I still contend that using IPs that are non contiguous to the customer's leased block for link addressing is the sop for every ISP I've dealt with which, as I stated plainly and clearly, does not include Comcast.
or TWC
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
824
TWC most certainly does it the way I describe here. I've a TWC connection in my lab.
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
TWC most certainly does it the way I describe here. I've a TWC connection in my lab.
and i have a 200mb TWC fiber DIA with a /28 in production that isn't that way...

that was my whole point... they can do it either way....
 

Raekwon

2[H]4U
Joined
Nov 29, 2001
Messages
2,054
and i have a 200mb TWC fiber DIA with a /28 in production that isn't that way...

that was my whole point... they can do it either way....

Exactly. I have connections from TWC, Comcast, Windstream, Mediacom, many more and a transit link that doesn't suck up an IP because it's in a separate subnet makes sense, however is not mandatory.
 
Top