No Internet after upgrading Comcast Business Gateway/modem
-
@chpalmer
Thanks for the links, they are helpful. I think I need to set the static route on the Comcast modem, but the instructions done't match the UI.The instruction says to enter the Destination IP, but the UI asks for the Destination Subnet.
So I think the Destination IP/Subnet should be: 50.2xx.xxx.134 & the Subnet Mask should be 255.255.255.248. Does that look correct to you?
-
Or maybe turning on the DMZ & setting pfSense as the DMZ Host...?
-
You should be able to just check the box to bypass the firewall for the true static ips.
-
@dotdash
Sorry, which box are you referring to? Enable DMZ? -
On the Comcast gateway, there should be a checkbox 'bypass firewall for true static ips' or something like that. Do you have a dynamic ip, or a static subnet?
Nevermind, should have read the whole thing. The static subnet also needs to be entered on the Comcast box 'public subnet' maybe? You shouldn't need to go into static routing, or use DMZ mode. -
@dotdash
Thanks for the help.
Yes the Comcast firewall is fully turn off.
Sorry, I'm not sure what you mean by the static/public subnet. I'd think they'd configure that on their end. Where would I set that
-
On the older gateways, you look under gateway, firewall, ipv4, then check the box. If you see the public IP on the sheet they gave you under status, that should be all you need.
EDIT- yours looks like the one I have access to. You should be able to get it going with the 'disable firewall for true static subnet' checked and all the forwarding/DMZ/NAT stuff turned off. Public IP on the firewall, pointing to Comcast gateway. -
Thanks for all the help trying to troubleshoot my internet issues everyone.
I'm pretty sure I've narrowed the issue down to our internal Domain Controller/Bind DNS server.
I discovered, if I changed a LAN workstation to use 1.1.1.1 as it's DNS server, instead of our internal DNS, I could get to the internet just fine over the Comcast gateway. So I've posted a revised question over here if anyone is familiar with Bind/DNS: https://serverfault.com/questions/1011943/bind9-dns-lookups-stopped-working-after-upgrading-our-comcast-modem-gateway -
This post is deleted! -
Ohhhhh, maybe the new Comcast Security Edge is blocking my DNS results like these guys...
https://forums.businesshelp.comcast.com/t5/Domain-Names-Static-IP/transparent-dns-proxying-started-after-a-modem-swap/m-p/39845
https://www.reddit.com/r/msp/comments/dikvta/comcast_securityedge/
-
I was able to fix my DNS issues by putting BIND in forwarding mode & not allowing it to use the root authority servers.
Seems Comcast SecurityEdge is blocking the root servers, but not 1.1.1.1 or 8.8.8.8 -
@bazzacad said in No Internet after upgrading Comcast Business Gateway/modem:
Seems Comcast SecurityEdge is blocking the root servers, but not 1.1.1.1 or 8.8.8.8
Blocking root servers, I tend to say that that is a security issue. Comcast sells it the other way around ??
-
I do believe my 5 year old learned a new cuss word tonight as I read this..
-
Upgraded Comcast Business service to higher speed several days ago - worked great. Begged them not to add SecuirtyEdge on a well-educated hunch. "Sorry, you get it whether you want it or not".
Last night and completely unannounced, Comcast updated the modem firmware and flipped on SecurityEdge. Complete disaster. Had the same local DNS problems as described above, with BIND complaining of non-improving referrals, rendering most on-site/off-site access useless. Temporarily switched it to forwarding with absolutely dreadful latency.
Played CSR roulette until I found someone who had previously run into plethoras of SecurityEdge incompatibilities. They immediately escalated this to the next tier and within four hours SecurityEdge was disabled for the account. Surprise - once I restored the original DNS config, everything worked perfectly.
SecurityEdge appears to have been developed by kindergartners with no technical understanding of what they were doing. I'm being kind.
-
Thanks so much for confirming what I've been finding. I'll get it removed.
-
Update: with SecurityEdge turned off, our system ran great for a day and a half. Then Comcast turned SecurityEdge back on for some unknown reason. The next CSR could see it was supposed to be turned off, but couldn't get it fixed. Escalated again, but 24 hours later SecurityEdge still hasn't been turned off.
I've configured DNS forwarding as a workaround, but at best it's slow and at worst domains aren't resolving properly. This is all caused by SecurityEdge being in the loop and no direct way to outflank it. My whole day is now racing from machine to machine trying to solve each individual problem. With many flavors of Linux running in our configuration, this is surely a headache. If this persists we'll move to another ISP ASAP. I'm not going to tunnel DNS just to get around this.
Disclaimer: We don't use pfSense, but this forum was one of the most informed places I found with useful information on the SecurityEdge problem, so I thought I would contribute back what I've learned.
-
@pendragonsound said in No Internet after upgrading Comcast Business Gateway/modem:
Disclaimer: We don't use pfSense, but this forum was one of the most informed places I found with useful information on the SecurityEdge problem, so I thought I would contribute back what I've learned.
Much appreciated!
