Comcast 'business' modem requires you use DHCP
-
I have a Comcast 'business' router. You can set your firewall to use your static IP and the router IP as a gateway, and you're in what I think of as "bridge lite" (everything gets passed to you, bypassing the cable box's built in firewall)
There are four CAT5/6 sockets in the back. If you plug a laptop in, you get assigned in the 10.1.10.0/24 range with gateway 10.1.10.1. That works fine. Even with your current firewall plugged in to a different socket and using the addresses to be in "bridge lite" mode.
BUT if, like me, you are trying to setup a PFSense firewall in parallel, and you get clever, leaving the WAN address static, picking something in the 10.1.10.1/24 range with gateway 10.1.10.1, this will NOT work. Instead, you have to set your WAN to 'DHCP'.
It seems the Comcast router will block your traffic if it did not actually assign you that address.
I'm a PFSense noob, spent quite a while trying to diagnose what was wrong with my rules. It turns out they were fine.
I'm posing this in case some other noob runs into the same issue and comes here looking for answers. -
huh? we have business comcast connection and use public IP on the pfsense wan.. They gave us a static IP to use.
We also have one here in this office connected to a juniper and that is also static public IP they gave us. Would have to go to the IDF room to see what port the our firewall is plugged into. The pfsense is in a remote office so I can not easy check what port pfsense is plugged into on the comcast device.
-
I've done plenty of Comcast Business setups, and they have all had CPE that ran a private network (10.1.10.0) but allowed you to pass through your static public subnet. You just put a public IP and gateway on your WAN and go. Sometime you need to login to the modem and look for the option to allow all traffic to the static subnet.
-
There are four CAT5/6 sockets in the back. If you plug a laptop in, you get assigned in the 10.1.10.0/24 range with gateway 10.1.10.1. That works fine. Even with your current firewall plugged in to a different socket and using the addresses to be in "bridge lite" mode.
That doesn't sound like bridged to me. That address is in one of the RFC1918 blocks, not a public address. I'm on Rogers and if I use their modem as a router, i also get RFC1918 addresses, but since it's in bridge mode, I get a public address. How do you know your modem is in bridge mode?
-
I have a static IP from comcast. When I connect a firewall set to that static IP (and the associated gateway from comcast), the firewall passes everything, so sort of a bridge, which I think of as bridge-lite.
There are additional ports on the comcast box. If I plug another device in, it will, indeed, assign in the 10.1.10.0/24 range.I plugged a pfsense in as an additional device (alongside our current firewall, which I'm phasing out). I 'got clever' in that, I assigned a static address to the pfsense box in the 10.1.10.0/24 range.
I got bit in that my traffic was blocked. I'd assigned an address I saw it previously assign to my laptop. I think it blocks traffic if it's from a MAC / IP address that it didn't actually assign with its built-in DHCP server.
The point was simply to warn people not to out-clever themselves this way. Sounds like maybe I did that wrong, too?
-
"the firewall passes everything, so sort of a bridge, which I think of as bridge-lite."
Huh? Sorry that is nothing like a "bridge" nor a lite bridge ;)
-
Fine. That was Comcast tech support's name for it. You would cal it…?
-
I have comcast business. My ip range is /29 so the following x.x.x.222 is my modem/router, x.x.x.221 thru x.x.x.217 are available for routers. When configuring the WAN port I put in IP address x.x.x.x & x.x.x.222 as the gateway and all works well. Also if I do plug into the cable modem with DHCP I do get a DHCP address like yourself.
