No Internet after upgrading Comcast Business Gateway/modem
-
Thanks for the reply.
No my interface isn't in the 10.1.10.X local IP range.
It's the public static IP Comcast has given to me, the same goes for my other WAN interface.
And the gateways are setup like so.
The other "WANGW" is working fine. If I set it to be the default, the internet works fine. If I change the default to "CMSTGW" then I can no longer access the internet.
-
If the comcast modem is not in bridge mode, then its using a NAT'ed IP and not the public one.
-
@Cool_Corona
I just tried this, but it didn't allow it. Should I be setting it to something else?
-
You can't do that.
Change the setting of the WANCMST interface to "DHCP"if your WANLMI WAN interface has also a router in front of it - not some device in 'bridge' mode, you should do the same for that interface.
-
If its in NAT mode, then as @Gertjan stated, use DHCP to get the new lease.
-
OK, I tried as you said, but then I could no longer ping or SSH into my public IP from the outside.
-
@bazzacad said in No Internet after upgrading Comcast Business Gateway/modem:
@Cool_Corona
I just tried this, but it didn't allow it. Should I be setting it to something else?
Could work, if you finished the setup ;) If all incoming traffic is NATted from 50.2xxx.xxx.130 to 10.1.10.1 - then you should set your pfSense WAN IP to static and set it to 10.1.10.1 etc.
Basically, the DMZ option (left menu) offers you identical functionality.@bazzacad said in No Internet after upgrading Comcast Business Gateway/modem:
but then I could no longer ping or SSH into my public IP from the outside.
You are aware of the fact that you have a router (pfSEnse) in front of the router (ComCast) ?
So, when the ICMP comes in, what is the first router that packet meets ? The ComCast Router !! Right ?!
So : question back : doies the ComCast router replies to ICMP ? This is probably an option to set in this router.My router has this option :
It says : should the (ISP) router reply to ping : yes or no.
Or, another possibility : use plain old NAT.
Add a NAT rule using the ICMP protocol (NOT TCP, NOT UDP) - The ICMP doesn't use ports. The destination IP should be the IP that ComCast assigned to pfSense. In this case, the ComCast router just forwards incoming ICMP packets to pfSense, and you have to set up pfSense to deal with it.NATting TCP and UDP is classic. Every router on planet earth can handle that. ICMP NATting is less known. Only the manual of your router - or you looking through the GUI menus, will tell if it is possible.
Btw : NATting is an ancient thing, and needed for IPv4 stuff.
When you start to use IPv6, you can throw away the NAT knowledge.
( and be ready to learn 'new' things - loads of it ) -
Take a read here. Im running out the door but maybe this will help.. :)
https://business.comcast.com/help-and-support/internet/comcast-business-static-ip-local-area-network/
https://business.comcast.com/help-and-support/internet/comcast-business-internet-view-your-static-ip-address/
https://business.comcast.com/help-and-support/internet/using-a-static-ip/
-
@chpalmer
Thanks for the links, they are helpful. I think I need to set the static route on the Comcast modem, but the instructions done't match the UI.The instruction says to enter the Destination IP, but the UI asks for the Destination Subnet.
So I think the Destination IP/Subnet should be: 50.2xx.xxx.134 & the Subnet Mask should be 255.255.255.248. Does that look correct to you?
-
Or maybe turning on the DMZ & setting pfSense as the DMZ Host...?
-
You should be able to just check the box to bypass the firewall for the true static ips.
-
@dotdash
Sorry, which box are you referring to? Enable DMZ? -
On the Comcast gateway, there should be a checkbox 'bypass firewall for true static ips' or something like that. Do you have a dynamic ip, or a static subnet?
Nevermind, should have read the whole thing. The static subnet also needs to be entered on the Comcast box 'public subnet' maybe? You shouldn't need to go into static routing, or use DMZ mode. -
@dotdash
Thanks for the help.
Yes the Comcast firewall is fully turn off.
Sorry, I'm not sure what you mean by the static/public subnet. I'd think they'd configure that on their end. Where would I set that
-
On the older gateways, you look under gateway, firewall, ipv4, then check the box. If you see the public IP on the sheet they gave you under status, that should be all you need.
EDIT- yours looks like the one I have access to. You should be able to get it going with the 'disable firewall for true static subnet' checked and all the forwarding/DMZ/NAT stuff turned off. Public IP on the firewall, pointing to Comcast gateway. -
Thanks for all the help trying to troubleshoot my internet issues everyone.
I'm pretty sure I've narrowed the issue down to our internal Domain Controller/Bind DNS server.
I discovered, if I changed a LAN workstation to use 1.1.1.1 as it's DNS server, instead of our internal DNS, I could get to the internet just fine over the Comcast gateway. So I've posted a revised question over here if anyone is familiar with Bind/DNS: https://serverfault.com/questions/1011943/bind9-dns-lookups-stopped-working-after-upgrading-our-comcast-modem-gateway -
This post is deleted! -
Ohhhhh, maybe the new Comcast Security Edge is blocking my DNS results like these guys...
https://forums.businesshelp.comcast.com/t5/Domain-Names-Static-IP/transparent-dns-proxying-started-after-a-modem-swap/m-p/39845
https://www.reddit.com/r/msp/comments/dikvta/comcast_securityedge/
-
I was able to fix my DNS issues by putting BIND in forwarding mode & not allowing it to use the root authority servers.
Seems Comcast SecurityEdge is blocking the root servers, but not 1.1.1.1 or 8.8.8.8 -
@bazzacad said in No Internet after upgrading Comcast Business Gateway/modem:
Seems Comcast SecurityEdge is blocking the root servers, but not 1.1.1.1 or 8.8.8.8
Blocking root servers, I tend to say that that is a security issue. Comcast sells it the other way around ??
