No Internet after upgrading Comcast Business Gateway/modem



  • We have always had a Comcast Business Gateway/modem setup as a dual-WAN in pfSense (Netgate XG-7100, 2.4.4-p3) & it was working fine.
    We just upgraded our service & they switched out the modem, looks like the same box, but maybe with newer firmware.
    After they installed the new modem we could no longer reach the internet when it was set as the default gateway in pfSense. If I plug my laptop into it directly I can get to the internet. We have a static IP address assigned to it & pfSense shows the gateway & interface are online. I can't figure out what changed when the modem was switched. The modem is not in bridge mode, as that never works with Comcast. Any suggestions as to what I may need to change?

    ed3c5d7a-3667-437e-a00f-925e16a76d85-image.png

    dfb56076-9ca5-4da9-9456-794ff44a11a7-image.png

    94328586-4562-4a83-a741-94be92c8b320-image.png



  • And the answer is here :

    3d53b765-cfad-4d12-ba96-f76a226447fb-image.png

    We know it's one of these (because we all have the same RFC 1918 IP ^^^^ ):

    730671d9-0356-4e64-8dbd-f686176abba8-image.png

    but ... not sure.

    When you connected a PC to the ComCast router, normally, everything worked right away.
    That is, when you buy a PC, the default network settings is : use DHCP get get a IP/Gateway/DNS etc. You have tested this.
    Guess what : every device on earth works like this !! And this includes pfSense. Which means : the WAN interface is set up as DHCP (client) as a default, so : hook up the WAN interface to an upstream router, and it will get assigned a IP/Gateway and even a DNS (but pfSense doesn't use the upstream DNS, it prefers to oook at the DNS root servers).
    One exception : if pfSense is using the default 192.168.1.0/24 on it's LAN ,a the upstream router offers an IP out of an identical network range 192.168.1.0/24 then routing is broken.
    Like assigning yourself an WAN IP that is used by the NSA, and being surprised that nothing works (and asking yourself why all those black helicopters are circling above your house).

    An issue might be : you have two WAN interfaces now !?
    Adding a second WAN doesn't change the default gateway, it should still work.
    You're not saying anything about this first WAN interface. It worked before ? Does it have the same RFC 1918 IP ?

    What do you have here :

    02368013-c7f8-4b43-be69-c1e517d771b9-image.png



  • Thanks for the reply.
    No my interface isn't in the 10.1.10.X local IP range.
    It's the public static IP Comcast has given to me, the same goes for my other WAN interface.
    101acbfe-0bba-4b28-af66-0afcbaa984a0-image.png

    And the gateways are setup like so.
    ae5f69c7-91eb-4e2d-ac8f-77befc5f8609-image.png

    The other "WANGW" is working fine. If I set it to be the default, the internet works fine. If I change the default to "CMSTGW" then I can no longer access the internet.



  • If the comcast modem is not in bridge mode, then its using a NAT'ed IP and not the public one.



  • @Cool_Corona
    I just tried this, but it didn't allow it. Should I be setting it to something else?
    c6b0508e-56ff-410b-bbd8-2f44464ce7ed-image.png

    f27a510c-9fcc-4063-8694-89a793190dd0-image.png



  • a9e10840-0c81-4435-861c-0330afba8f56-image.png

    You can't do that.
    Change the setting of the WANCMST interface to "DHCP"

    if your WANLMI WAN interface has also a router in front of it - not some device in 'bridge' mode, you should do the same for that interface.



  • If its in NAT mode, then as @Gertjan stated, use DHCP to get the new lease.



  • OK, I tried as you said, but then I could no longer ping or SSH into my public IP from the outside.

    fd79b98c-ce83-4337-a2b7-7835edb44310-image.png

    4a612ef5-3896-4c08-aa0d-61222b4f5d15-image.png



  • @bazzacad said in No Internet after upgrading Comcast Business Gateway/modem:

    @Cool_Corona
    I just tried this, but it didn't allow it. Should I be setting it to something else?
    c6b0508e-56ff-410b-bbd8-2f44464ce7ed-image.png

    Could work, if you finished the setup ;) If all incoming traffic is NATted from 50.2xxx.xxx.130 to 10.1.10.1 - then you should set your pfSense WAN IP to static and set it to 10.1.10.1 etc.
    Basically, the DMZ option (left menu) offers you identical functionality.

    @bazzacad said in No Internet after upgrading Comcast Business Gateway/modem:

    but then I could no longer ping or SSH into my public IP from the outside.

    You are aware of the fact that you have a router (pfSEnse) in front of the router (ComCast) ?

    So, when the ICMP comes in, what is the first router that packet meets ? The ComCast Router !! Right ?!
    So : question back : doies the ComCast router replies to ICMP ? This is probably an option to set in this router.

    My router has this option :

    ce736c9b-7a60-4cc3-8d6c-327b5e575a8e-image.png

    It says : should the (ISP) router reply to ping : yes or no.

    Or, another possibility : use plain old NAT.
    Add a NAT rule using the ICMP protocol (NOT TCP, NOT UDP) - The ICMP doesn't use ports. The destination IP should be the IP that ComCast assigned to pfSense. In this case, the ComCast router just forwards incoming ICMP packets to pfSense, and you have to set up pfSense to deal with it.

    NATting TCP and UDP is classic. Every router on planet earth can handle that. ICMP NATting is less known. Only the manual of your router - or you looking through the GUI menus, will tell if it is possible.

    Btw : NATting is an ancient thing, and needed for IPv4 stuff.
    When you start to use IPv6, you can throw away the NAT knowledge.
    ( and be ready to learn 'new' things - loads of it )





  • @chpalmer
    Thanks for the links, they are helpful. I think I need to set the static route on the Comcast modem, but the instructions done't match the UI.

    The instruction says to enter the Destination IP, but the UI asks for the Destination Subnet.
    So I think the Destination IP/Subnet should be: 50.2xx.xxx.134 & the Subnet Mask should be 255.255.255.248. Does that look correct to you?

    6670cdda-e98f-4ce6-9bc9-5efc53c0c00e-image.png

    f7283bc3-e5b3-4250-8bbd-107410f96d4b-image.png



  • Or maybe turning on the DMZ & setting pfSense as the DMZ Host...?

    4e095bee-c78a-45a4-9fd5-846a298dae54-image.png



  • You should be able to just check the box to bypass the firewall for the true static ips.



  • @dotdash
    Sorry, which box are you referring to? Enable DMZ?



  • On the Comcast gateway, there should be a checkbox 'bypass firewall for true static ips' or something like that. Do you have a dynamic ip, or a static subnet?
    Nevermind, should have read the whole thing. The static subnet also needs to be entered on the Comcast box 'public subnet' maybe? You shouldn't need to go into static routing, or use DMZ mode.



  • @dotdash
    Thanks for the help.
    Yes the Comcast firewall is fully turn off.
    bfedb092-c921-4764-a61a-3ebee519aa54-image.png

    Sorry, I'm not sure what you mean by the static/public subnet. I'd think they'd configure that on their end. Where would I set that



  • On the older gateways, you look under gateway, firewall, ipv4, then check the box. If you see the public IP on the sheet they gave you under status, that should be all you need.
    EDIT- yours looks like the one I have access to. You should be able to get it going with the 'disable firewall for true static subnet' checked and all the forwarding/DMZ/NAT stuff turned off. Public IP on the firewall, pointing to Comcast gateway.



  • Thanks for all the help trying to troubleshoot my internet issues everyone.
    I'm pretty sure I've narrowed the issue down to our internal Domain Controller/Bind DNS server.
    I discovered, if I changed a LAN workstation to use 1.1.1.1 as it's DNS server, instead of our internal DNS, I could get to the internet just fine over the Comcast gateway. So I've posted a revised question over here if anyone is familiar with Bind/DNS: https://serverfault.com/questions/1011943/bind9-dns-lookups-stopped-working-after-upgrading-our-comcast-modem-gateway



  • This post is deleted!




  • I was able to fix my DNS issues by putting BIND in forwarding mode & not allowing it to use the root authority servers.
    Seems Comcast SecurityEdge is blocking the root servers, but not 1.1.1.1 or 8.8.8.8



  • @bazzacad said in No Internet after upgrading Comcast Business Gateway/modem:

    Seems Comcast SecurityEdge is blocking the root servers, but not 1.1.1.1 or 8.8.8.8

    Blocking root servers, I tend to say that that is a security issue. Comcast sells it the other way around ??



  • I do believe my 5 year old learned a new cuss word tonight as I read this..



  • Upgraded Comcast Business service to higher speed several days ago - worked great. Begged them not to add SecuirtyEdge on a well-educated hunch. "Sorry, you get it whether you want it or not".

    Last night and completely unannounced, Comcast updated the modem firmware and flipped on SecurityEdge. Complete disaster. Had the same local DNS problems as described above, with BIND complaining of non-improving referrals, rendering most on-site/off-site access useless. Temporarily switched it to forwarding with absolutely dreadful latency.

    Played CSR roulette until I found someone who had previously run into plethoras of SecurityEdge incompatibilities. They immediately escalated this to the next tier and within four hours SecurityEdge was disabled for the account. Surprise - once I restored the original DNS config, everything worked perfectly.

    SecurityEdge appears to have been developed by kindergartners with no technical understanding of what they were doing. I'm being kind.



  • Thanks so much for confirming what I've been finding. I'll get it removed.



  • Update: with SecurityEdge turned off, our system ran great for a day and a half. Then Comcast turned SecurityEdge back on for some unknown reason. The next CSR could see it was supposed to be turned off, but couldn't get it fixed. Escalated again, but 24 hours later SecurityEdge still hasn't been turned off.

    I've configured DNS forwarding as a workaround, but at best it's slow and at worst domains aren't resolving properly. This is all caused by SecurityEdge being in the loop and no direct way to outflank it. My whole day is now racing from machine to machine trying to solve each individual problem. With many flavors of Linux running in our configuration, this is surely a headache. If this persists we'll move to another ISP ASAP. I'm not going to tunnel DNS just to get around this.

    Disclaimer: We don't use pfSense, but this forum was one of the most informed places I found with useful information on the SecurityEdge problem, so I thought I would contribute back what I've learned.



  • @pendragonsound said in No Internet after upgrading Comcast Business Gateway/modem:

    Disclaimer: We don't use pfSense, but this forum was one of the most informed places I found with useful information on the SecurityEdge problem, so I thought I would contribute back what I've learned.

    Much appreciated!


Log in to reply