• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Comcast Business Bridge Mode

Scheduled Pinned Locked Moved General pfSense Questions
15 Posts 6 Posters 2.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jrussell05
    last edited by Mar 31, 2023, 8:56 PM

    I have Comcast Business and have had my pfSense Protectli router/firewall working flawlessly for about 2 years. However, about a month ago Comcast performed a network upgrade and a few days later my internet quit.

    This problem seems very similar to a thread posted on Reddit, but no solution was ever given:

    pfsense Comcast Business Internet DHCP Bridge Mode

    If I reboot the pfSense router the WAN (public IP address) will get assigned via DHCP and the internet will work for about 5 minutes. Then traffic stops and the Gateway Monitor says 100% packet loss. Just like the article above, I disabled Gateway Monitoring. No help.

    I've tried a factory reset. I've even bought a brand new Protectli Vault and reinstalled a fresh pfSense and still same result, so not a hardware problem.

    Ironically, my old el-cheapo Netgear router is hooked up for now and is working fine. However, I want pfSense for the security and VPN.

    Any ideas?

    N 1 Reply Last reply Apr 1, 2023, 12:14 AM Reply Quote 0
    • N
      NollipfSense @jrussell05
      last edited by Apr 1, 2023, 12:14 AM

      @jrussell05 It seems that you should ask Comcast why bridge mode not working...alternatively, if it's a cable modem, you could try increasing the time on WAN interface 900 seconds which is 15mins..check option the advance config, see image below. It appears DHCP isn't holding on for completion of the leasing assignment...just guessing.

      Screenshot 2023-03-31 at 7.01.52 PM.png

      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

      1 Reply Last reply Reply Quote 0
      • S
        stephenw10 Netgate Administrator
        last edited by Apr 1, 2023, 1:34 PM

        What pfSense version are you running? It could be VLAN0 issue.

        J 1 Reply Last reply Apr 1, 2023, 1:52 PM Reply Quote 0
        • J
          jrussell05 @stephenw10
          last edited by Apr 1, 2023, 1:52 PM

          @stephenw10 I'm running 22.05 on one unit and 2.6.0 on the new unit.

          1 Reply Last reply Reply Quote 0
          • S
            stephenw10 Netgate Administrator
            last edited by Apr 1, 2023, 1:57 PM

            The VLAN0 (priority tagged) dhcp replies issue is solved in 23.01. If you're able to upgrade to that from 22.05 it would be a good test.
            Though usually that would cause dhcp to fail entirely not after a few minutes.

            Failing after a few minutes like that sounds like an ARP conflict or possibly an asymmetric route somehow.

            Check the system logs for errors reporting something else using the WAN IP.

            Steve

            1 Reply Last reply Reply Quote 0
            • K
              KStarRunner
              last edited by Apr 8, 2023, 6:48 PM

              One of my locations is having the same issue. In my case, it's Comcast consumer internet in bridge mode. Firmware version 23.01 is running on a Netgate SG-3100. It's been working fine for the last 3 years, until Friday morning the exact same symptoms started. Just like that Reddit article, it's a Cisco DPC3941B modem.

              This new behavior coincided with a new WAN IP being issued. My previous WAN IP had been unchanged for a year+.

              Unfortunately for me, it's at a remote site. So I can only access it for 5 minutes, every 20 minutes. Next time I can get in, I'll try to poke around the logs.

              J 1 Reply Last reply Apr 8, 2023, 7:40 PM Reply Quote 0
              • J
                jrussell05 @KStarRunner
                last edited by Apr 8, 2023, 7:40 PM

                @kstarrunner Sorry to hear you're having the same experience. I too am limited in my ability to diagnose the issue due to being remote. Comcast, despite being responsive, has been no help so far.

                Very interested to hear about anything you may learn.

                1 Reply Last reply Reply Quote 0
                • K
                  KStarRunner
                  last edited by Apr 8, 2023, 9:42 PM

                  Dug through all the available logs. I could not find any mention of MAC address conflict. I disabled Gateway Monitoring, that didn't do anything. The only thing I found interesting was the following lines in the Gateways log:

                  Apr 8 11:42:19 dpinger 3039 send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr COMCAST_GW_IP bind_addr MY_IP identifier "WAN_DHCP "
                  Apr 8 11:42:22 dpinger 3039 WAN_DHCP COMCAST_GW_IP: Alarm latency 0us stddev 0us loss 100%
                  Apr 8 11:42:45 dpinger 3039 exiting on signal 15

                  Those 3 lines keep repeating. Nothing else notable there.

                  1 Reply Last reply Reply Quote 0
                  • S
                    stephenw10 Netgate Administrator
                    last edited by Apr 9, 2023, 3:14 PM

                    Have you tried setting an external monitoring IP? Like 8.8.8.8.

                    It could be the Comcast gateway blocking the monitoring pings after 5mins.

                    K 1 Reply Last reply Apr 9, 2023, 3:40 PM Reply Quote 0
                    • K
                      KStarRunner @stephenw10
                      last edited by Apr 9, 2023, 3:40 PM

                      @stephenw10 Just tried that, it made no difference.

                      1 Reply Last reply Reply Quote 0
                      • S
                        stephenw10 Netgate Administrator
                        last edited by Apr 9, 2023, 3:52 PM

                        Check the ARP table in pfSense when it's working and when it fails. Do you see the gateway IP listed correctly? Does the MAC address change?

                        C 1 Reply Last reply Apr 9, 2023, 7:23 PM Reply Quote 0
                        • C
                          chpalmer @stephenw10
                          last edited by Apr 9, 2023, 7:23 PM

                          @stephenw10

                          The Comcast business gateway device is not in true "bridge mode". that is the first thing to keep in mind. It still routes and can be a real pain.

                          If you do not have or need static IP addresses I would either buy my own modem only device or get them to rent you one. They can be quite the pain to get them (phone support) to cooperate with you on that path but once they do your life will get much simpler..

                          But please do share here what you do to get these working if you do.. for others to search out.

                          Triggering snowflakes one by one..
                          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                          1 Reply Last reply Reply Quote 0
                          • K
                            KStarRunner
                            last edited by KStarRunner Apr 10, 2023, 11:09 PM Apr 10, 2023, 11:07 PM

                            Unfortunately, I'm limited by this being a remotely deployed firewall. After calling Comcast support, they dispatched a tech which replaced the Cisco modem, with an "xFi Gateway" (aka Arris TG3482G). Unfortunately, the tech did not enable bridge mode. Fortunately, the IPsec tunnel still works. While I can still remotely manage the firewall over IPsec, I was using bridge mode to avoid the overhead of NAT-T.

                            Next time I can make it onsite, I'll try to switch it back to bridge mode. Will report back when I do. Kind of curious if this is a Comcast or a Cisco problem/bug.

                            Also agreed that purchasing a modem-only device is the best route. Unfortunately, there are complexities outside of my control.

                            R 1 Reply Last reply Apr 11, 2023, 2:21 AM Reply Quote 0
                            • R
                              rcoleman-netgate Netgate @KStarRunner
                              last edited by Apr 11, 2023, 2:21 AM

                              @kstarrunner Does the Arris have a login page? Typically Comcast business modems have a default user/pass you can look up that will get you into the system.

                              I believe the username for Business devices is "cusadmin" but the password might be that, "password" or the SN of the device. This doesn't work always but often does.

                              Ryan
                              Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                              Requesting firmware for your Netgate device? https://go.netgate.com
                              Switching: Mikrotik, Netgear, Extreme
                              Wireless: Aruba, Ubiquiti

                              K 1 Reply Last reply Apr 11, 2023, 3:28 PM Reply Quote 0
                              • K
                                KStarRunner @rcoleman-netgate
                                last edited by Apr 11, 2023, 3:28 PM

                                @rcoleman-netgate I'm not too worried about getting into the device. Usually there's a sticker on the bottom with the password; or the default password can be found online somewhere.

                                At this point, that location is back online, and the IPsec tunnel is working. While I "could" use the IPsec tunnel to access the modem, I'm not willing to risk it while remote. I'll switch it next time I'm onsite.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                  This community forum collects and processes your personal information.
                                  consent.not_received