Multiple Static IPs Comcast - Recommended Equipment Please



  • If any recommendation is necessary that is.

    I've very recently switched from (or will once the residential is cancelled, I'd like to know if I have what it will take to make it all work and worth the extra $$/mo.) Comcast residential to business with 5 static IP's (seems fairly common from the searches I could and did do here).

    It started off as simply wanting to have another dynamic IP (so my son and I could play on clients per IP limited servers, etc.) but seeing Comcast no longer offers more than 1 dynamic on a residential, here I am. <grin>I'm attempting to get my ducks in a row and with an extremely limited knowledge set regarding networking, I think I'm getting overwhelmed, but, I will not quit….

    This is what I have equipment wise:

    A bare metal with ESXi with i350-T4 NIC in it.  While I built this to "toy around on" and run a game server under one VM, I'll hopefully have the ability to use it to its fullest extent.  Or so I'm hoping which leads me to the post.

    Current Setup (as it was run on the residential):
    SB6141 Modem -> pfSense box (naturally) -> 1810G-24 (J9450A) -> Trendnet Gigadumb switch -> Computers

    For the business, they stuck me with the Cisco DPC3941.  I watched this video:

    Youtube Video

    And I believe I have a firm enough understand of what I need to do in order to use on WAN NIC port on the pfSense box to one LAN NIC port (it's an Intel dual gigabit server NIC, though not certain on the model as it's been in the box for 3 years now chugging along nicely for my residential setup), by using Virtual IP's and 1:1 routing.  However.  Again with my limited knowledge, given the LAN side IP's that the video suggests (in the same subnet - am I using that terminology correctly? pathetic I know, truly sorry to come here with such limited knowledge, I'm "starting out" in this realm), it seems that even though I'll now be able to run, say, two webservers (port 80) as they'll be going to seperate IP's (192.168.1.12 and 192.168.1.13 for example), because they're on the same subnet, they'll be able to talk to one another.  I'd rather not have this, as eventually, I plan to hopefully recoup a little extra $ to offset the increase in cost of business class by offering up a pretty decent VM on the ESXi box by "renting" it out to someone interested in running a small'ish Minecraft server.  So, I don't want them to have access to MY network.

    From what I've read thus far, I'll need to setup virtual LAN's.  However, will my pfSense handle such routing?  (The pfSense box being a Intel(R) Celeron(R) CPU G530 @ 2.40GHz with 4GB of DDR3 PC1600 RAM and 80GB SSD, I have 8GB of RAM available to put into it if necessary or even if it isnt and is just recommended).

    I don't mind buying a little bit more hardware, if it's better to go that route.  Or will what I have probably "do the trick?"  I'm still in my 30 day window (now only 25 days) to cancel business class if I don't think I can or have what it takes to make this happen.  So, picture me pleading for assistance of whom I consider the masters of networking here (no seriously).

    Any and all assistance is greatly appreciated and, I wont try to kid anyone, needed.

    PS - I havent a clue how to setup VLANs and not entirely sure if my Procurve will do that?  I bought it because I wanted a good switch (or at least better than some el cheapo consumer) to ensure it would function and handle all the connections going to it.  I never thought I'd possibly be implementing VLANs and going as far as I have already.  I get the feeling this is going to be a somewhat deep rabbit hole, but, I refuse to be intimidated.</grin>


  • LAYER 8 Netgate

    What, precisely, did comcast give you as your WAN subnet mask, gateway, and available addresses? Obfuscate if you want but details are important. Don't change the last octets of any of them.

    As long as the new modem is just a modem you're overthinking it (and being borderline tl;dr). It's just a matter of defining the VIPs and port forwarding, 1:1, and outbound NAT for the inside addresses as desired.

    That is, as long as it's still a bridge modem and is just a /29 WAN subnet.



  • Derelict,

    I appreciate the response.  I admit, I'm sweating the details, mainly because of the 30 day cancellation window closing (albeit, I'd naturally like to get this working and not cancel).  Port forwarding?  Bah, the video I linked implied that port forwarding shouldn't be used with 1:1, that may have been the source of my over analyzing (borderline tl;dr).  Regardless here is the information you requested:

    Gateway IP:  xxx.xxx.xxx.238
    Subnet Mask: 255.255.255.248
    Static IPs:      xxx.xxx.xxx.233-237

    It's the DPC3941B with 4 gigabit ethernet connections.  The configuration GUI is, well, leaves little to be desired, but I suspect there are far worse out there? (thats me attempting optimism).


  • LAYER 8 Netgate

    If you want everything coming in for one public IP address to be forwarded to a particular private address, use 1:1.

    If you want to forward different ports on a single public IP address to different inside IP addresses, use port forwarding.

    Use outbound NAT to send specific matching outbound traffic sourced from a specific public IP address.

    You can generally use 1:1 NAT and port forwarding together. The port forward will be honored then everything else will be sent to the 1:1 NAT host.

    What you were given looks like a standard /29.

    Set .238 as the default gateway, pick one of 233-237 as the interfaces address, set the netmask to /29, and create VIPs for the other four.

    Which VIP type is best depends on what you're trying to do.

    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses



  • I don't know if these will be of any use to help with the specifics of recommended configuration, and while these refer to different gateways, it seems Comcasts routing schemes don't differ regardless of gateway they provide:

    http://forums.businesshelp.comcast.com/t5/Equipment-Modems-Gateways/True-Bridge-Mode/td-p/13330

    and within that thread was the "solution" which I assume I'll want to follow:

    http://forums.businesshelp.comcast.com/t5/Equipment-Modems-Gateways/SMC-business-class-gateway-in-bridge-mode-with-Static-IPs/m-p/11115#M1287

    What I'm after is this:

    I'd like to use at least three static IP's that I was provided (though I suppose setting them all up wouldn't hurt).

    Public facing Static IP:

    1 -> Household stuff (xbox, computer games, plex server, etc.)
    2 -> Port on a quad NIC of an ESXi box for a webserver, gameserver, FTP, VNC, etc.
    3 -> Different port on that same quad NIC for gameserver

    But.  I'd prefer that static ip #2 and #3 not have access (for the lack of better understanding of terminology, my apologies) to computers/devices that "run" on IP 1.  And forwarding of ports would be done in at least the case of IP 1 (to Plex, xbox, etc.)

    I am running the latest release (according to pfSense 2.3.2-RELEASE) as that may be helpful information.

    I'll certainly refer to the link you provided (and much much more), however, for now, it may as well be in an alien language.  If it's not too much trouble, for now just so that I can start using the business class (and drop the residential so I can stop paying for that), could you hold my hand a bit please?  Trust me when I tell you, I don't wish to remain ignorant and I will learn (albeit I suspect it will take some time, otherwise you guys wouldn't get paid well if anyone could learn in no time flat right? heh).

    Don't get me wrong, your help thus far is invaluable and greatly appreciated.


  • LAYER 8 Netgate

    So you have both services installed at the same place now?

    If so I would ENABLE THE FIREWALL on my macbook then statically set the ethernet interface to X.X.X.233/29 with a default gateway of X.X.X.238 and see if I had internet.

    That posting make it appear that once you get the SMC properly-configured (kind of outside the scope of this forum. That link looks like where you should be for that) you will be good to go. As long as the SMC will serve multiple IP addresses to one MAC address (which it should) it should be just a standard static /29 on pfSense WAN with VIPs.

    If you really want a public IP addresses going to ESXi without firewalling, just statically configure those VMs with another address on the /29 (don't use that address as a VIP or it will conflict) and connect that ESXi port to the SMC. It will not go through pfSense at all.

    There is really no good way to put addresses from your /29 through to ESXi via pfSense. You will end up bridging pfSense WAN with another interface. To do this correctly you would want to get another IP subnet ROUTED to the pfSense WAN address. You could then put that subnet on a local interface, disable NAT for it, and VMs could get real, public IP addresses.

    I would probably just NAT in your case.



  • Ok, I believe things are coming together in my mind about this now.

    I will want to firewall (deny all, port foward the ports I do want open then I guess?) IP 2 and IP 3, that way those VMs/servers arent wide open, allowing only the ports that are to be used to, well, be used.

    I think I understand (now that I know port fowarding can be done with 1:1 NAT, as suggested in that video) of how to go about setting up the VIP's.  However, I'm still unclear on which to choose, I think Alias' it what I may want to do?

    5 Static IP's
    1 Static IP's for household devices (port fowarding to be used for these as I dont wish to be wide open)
    1 Static IP for one VM server/port (port forwarding also, again dont want it wide open)
    1 Static IP for another VM server/port (again, same as above)

    Not repeating myself for you sake so much as is for my own sanity.



  • @Derelict:

    So you have both services installed at the same place now?

    I'm glad you asked this.  Currently, I have both residential and business, correct.  I'll want to nix the residential once business is setup at least well enough so that Static IP 1 can be used for household devices (to keep the family happy).

    However, that question of yours reminded me that I could still hotspot my phone to my laptop to test into business class.  So thank you for that.


  • LAYER 8 Netgate

    The link above details what all the VIP types do. In general IP Alias is a good choice.



  • Ok.  I may avoid "renting" out the one VM, as from what I can tell, it would require VLAN'ing and that will from what I've read, take getting a layer 3 switch at a minimum.  A used/pulled/out of lease 3570G-24 would run around $170ish.  Not too bad really, but, would loose the point in renting out the VM which was to offset the difference in price being paid (additionally) for the business class.

    However, with that in mind.

    I've got pfSense setup for the business class.  DG: xxx.xxx.xxx.238, with pfSense having WAN IP of xxx.xxx.xxx.237.  All devices connected to the procurve (connected to the LAN of pfSense) when googling a "what is my ip" results in xxx.xxx.xxx.237 as I would expect.  Cool,… progress (even if insignificant to anyone here, I feel a resounding feeling of success lol).  So, let's try that port forwarding of VM1 which has a LAN IP of 192.168.1.6

    http://i.imgur.com/tGXKmr6.jpg

    Does that look right?  Those are ports for the game server (aside from 3306 of course we know what that is).

    Using the client from the residential line, it appears to try to connect to the server, but, doesnt.  So I did a "what is my ip" from the servers browser.  xxx.xxx.xxx.237 hmmm.. I was hoping for xxx.xxx.xxx.233

    Now, I could go 1:1 NAT as suggested, but, it was noted that would allow ALL traffic to/from that server VM.  So I disabled the port forwarding (not sure it was necessary probably not from what I read), and did a 1:1 NAT, for xxx.xxx.xxx.233 <-> 192.168.1.6  -- zinga!  success, googling "what is my ip" resulted in xxx.xxx.xxx.233, however, now I'm wide open right?  That's not good.

    So, back to port forwarding?  If so, is my port forwarding setup wrong?  Or, is that what Firewall -> NAT -> Outbound is for?  Seems like it -might- be, though I'm uncertain how to configure that.

    Thus, for all intents and purposes, lets just ignore isolating the VM's from the rest of the LAN.  That I'll save for a better day, armed with far more knowledge.  For now, I'd just be happy getting VM1 to/from traffic of 192.168.1.6 <-> xxx.xxx.xxx.233 while having a firewall in place (i.e. deny all, but specified what IS allowed).

    Assistance is greatly appreciated.



  • Ok, just adding onto this a little.

    I'm perplexed.  From how I understand things, a 1:1 NAT is simply saying, "whatever comes to/from xxx.xxx.xxx.233, do to/from 192.168.1.6" BUT, also in the many of the same posts (not just here, I'm trying to utilize many resources to soak up knowledge), it seems that, while that's all well and good, I would still NEED to setup the "allows" of what traffic (port traffic) is ALLOWed to/from xxx.xxx.xxx.233 / 192.168.1.6

    If that's the case, then, any ideas of why when I setup a 1:1 NAT for xxx.xxx.xxx.233 <-> 192.168.1.6, ports that the gameserver used were able to be accessed/"talked to" from the game client (being run off the residential, so definitely not an internal LAN IP, thus "outside") when I hadn't set up any rules?

    This leads me to believe maybe I missed a step in creating the 1:1 NAT, which is I suppose allowing all traffic right from the get go?  That's not good or desired. :p

    Yeah, here is a post from jimp:

    https://forum.pfsense.org/index.php?topic=84214.msg461907#msg461907

    Where he states, "The ports are not automatically exposed: 1:1 NAT maps all the external ports on that IP to the internal IP but you must still have firewall rules to allow the traffic to reach the local server."

    I have no idea then how I was able to login to my gameserver, when all I had was the 1:1 NAT (Firewall -> NAT -> 1:1).  :(

    A screenshot of the 1:1 NAT for xxx.xxx.xxx.233 <-> 192.168.1.6 in case it might help anyone follow along/assist:

    http://i.imgur.com/td2mnyw.jpg


  • LAYER 8 Netgate

    If the ports are not open you cannot connect from the outside despite what NAT rules you have in place.

    Did you enable UPnP or something?

    You're using both of these in the same place. Sure they're not sharing the same LAN somehow?

    You do not need a Layer 3 switch to use VLANs. VLANs are Layer 2. You just need a managed switch. You can get an 5-port managed switch for under $40. 8-port for under $50.



  • @Derelict:

    If the ports are not open you cannot connect from the outside despite what NAT rules you have in place.

    Did you enable UPnP or something?

    Not to my knowledge, I'll try to find where that/those settings may be though.

    @Derelict:

    You're using both of these in the same place. Sure they're not sharing the same LAN somehow?

    I'm positive.  I used a laptop connected directly (and barely, ugh I know) to the residential cable modem, which ran the game client.  The game server is indeed on the business line via procurve switch via pfsense.

    @Derelict:

    You do not need a Layer 3 switch to use VLANs. VLANs are Layer 2. You just need a managed switch. You can get an 5-port managed switch for under $40. 8-port for under $50.

    Oh, well… that is -very- nice to read then.  I have one of those, the HP Procurve 1810G-24 I have is Layer 2.  (But for now, I'm putting off the VLAN'ing, as I dont plan to "rent" out a VM at this time, the VM we're discussing now is going to run -my- game server)

    *Ok, found Services -> UPnP & NAT-PMP

    http://i.imgur.com/cwCYmFY.jpg

    http://i.imgur.com/mDox44U.jpg

    I really have no idea what on my net is using .200  if anything?  Pinging it results in nothing, maybe something that was once on my LAN (its outside the DHCP range, that has existed on this thing for 3-4 years, so was something statically assigned at some point).  Would the UPnP the way it is configured have caused me outside access to xxx.xxx.xxx.233 <-> 192.168.1.6  ?

    So you confirm, even if I have 1:1 NAT set, until I open the ports (via Firewall -> Rules -> WAN and/or Firewall -> NAT -> Port Forward,  if Im understading things correctly) should NOT be able to be accessed from the outside.  Then, I am definitely at a loss with my limited knowledge. :/

    All I can do is help with showing my configs and I'll do so gladly.


  • LAYER 8 Netgate

    UPnP and NAT-PMP allow things inside your network (like gaming consoles and malware) to open inbound firewall rules.

    Most who care about security consider them to be something of a bad idea. Hence they are both disabled by default.



  • @Derelict:

    No idea. you need to pass the ports you need to pass. This thread should probably be split into Gaming.

    I know the ports I need to pass, just not quite sure the method of doing so.

    
    TCP/              3360           -> 192.168.1.6 -> xxx.xxx.xxx.233 (VIP)
    TCP/UDP       5998-5999  -> 192.168.1.6 -> xxx.xxx.xxx.233 (VIP)
    TCP/UDP       7778           -> 192.168.1.6 -> xxx.xxx.xxx.233 (VIP)
    UDP              7000-7500  -> 192.168.1.6 -> xxx.xxx.xxx.233 (VIP)
    
    

    I mean, port forwarding I'm comfortable with.  But doing just that, still results in the game server (VM) resulting in showing xxx.xxx.xxx.237 when a "what is my ip" via browser (pfSense's WAN) vice xxx.xxx.xxx.233 (VM's VIP)


  • LAYER 8 Netgate

    To choose a specific VIP for outbound connections you need outbound NAT, not port forwards.

    Unless you have a 1:1 in place that matches.



  • I have a 1:1 in place:

    http://i.imgur.com/Yc8szPa.jpg

    I have these port forwards (whether or not it's done correctly, I don't know, never did port forwarding on VIP's before):

    http://i.imgur.com/KQKBvwt.jpg

    So, now all that is left (if I am following correctly and assume the port forwards above are correct as well), is to make Outbound NAT rules, which, I'm completely lost on (the format it shows for the ones that do exist makes sense, the moment I press "Add" and am presented with that screen, I'm lost).  I filled in what I think is right, thus far, but not sure of what else should go where on this screen:

    http://i.imgur.com/BZNwfld.jpg


  • LAYER 8 Netgate

    What is the real, assigned IP address on the "game server (VM)? Not the address that's port forwarded, notht e address you want it to appear as on the internet, the real IP address on your network for that server."

    What, exactly, do you want to happen for inbound connections to that VM?

    What, exactly, do you want to happen for outbound connections from that VM?

    Be specific. Ports, destinations, everything.

    This all really does work. It does exactly what you tell it to do.



  • @Derelict:

    What is the real, assigned IP address on the "game server (VM)? Not the address that's port forwarded, notht e address you want it to appear as on the internet, the real IP address on your network for that server."

    192.168.1.6 (LAN) that's the real address of the VM

    @Derelict:

    What, exactly, do you want to happen for inbound connections to that VM?

    I want inbound to be able to connect via the game server's (software) ports it's listening to and using to receive/send data for that game.  Specifically ports:

    TCP 3306
    TCP/UDP  5998-5999
    TCP/UDP 7778
    UDP 7000-7500

    @Derelict:

    What, exactly, do you want to happen for outbound connections from that VM?

    I want them to go to the player connecting from the Internet, using the same ports they came in on.

    But I want their game client to "go" to xxx.xxx.xxx.233 and I want the server to respond back to them as xxx.xxx.xxx.233

    @Derelict:

    This all really does work. It does exactly what you tell it to do.

    Of that I have no doubt.  I'm just not fluent in its language unfortunately. :/  If I didn't address a parameter you were seeking, please let me know.  I AM trying though, I promise you.


  • LAYER 8 Netgate

    You do not have to do anything to get replies to go back out the IP address the connection came in on.

    That is completely disconnected from the IP address you get when INITIATING A CONNECTION from the same host.



  • @Derelict:

    You do not have to do anything to get replies to go back out the IP address the connection came in on.

    That is completely disconnected from the IP address you get when INITIATING A CONNECTION from the same host.

    Ok.

    Well, at this point.  I have a 1:1 NAT setup.

    http://i.imgur.com/Yc8szPa.jpg

    So simply setting up Port Forwarding should allow the game server to, server the game.

    That didn't do the trick.

    So I figured there was MORE I had to do.

    See, this is what I did (Port Forwarding):

    http://i.imgur.com/tGXKmr6.jpg

    The client still cannot connect successfully.  Now, when I had just the 1:1 NAT and UPnP enabled, things worked, but, as you noted, UPnP is bad.  So it's disabled.

    I may be way off, but I sense a frustration.  I'm sorry, I'm clueless.  But, I'll admit that over and again.



  • Zinga.

    It's working.

    At some point, likely while trying to figure out how to make the ISP provided gateway a "dumb modem" or "pass-through" (according to what I've read), since it is unable to go into "true bridged mode" without losing its configuration for static ip's.. I managed to deviate from the original video in my OP.

    After the 1:1 NAT, I should have (and have now done) added the Firewall -> Rules, manually.  I did that in accordance with the video and, it works.  No Firewall -> NAT -> Port Forward, no Firewall -> NAT -> Outbound NAT, just Firewall -> Rules -> WAN.

    Ugh.  I'm sure there are some following giving the ole "SMH" and perhaps I will later down the line as well as I continue to learn, not just -what- to do, but why.  However, for now, I'm just happy things are working.  I feel comfortable I'll keep the business line and can now call tomorrow to cancel the residential.

    Derelict, I do greatly appreciate your assistance.  I hope I didn't frustrate you/matters too much.  I'll learn to walk one day, much less, get out of diapers.  And I promise to pay it forward once I know my knowledge is sound and am within my limits to assist properly.


Log in to reply