PfSense and Comcast

  • Have a Comcast SMC modem with one usable static ip address. I assigned it to a Netgate/ALIX  box running pfSense 2.0. Double checked the ip address and subnet mask, both are correct. However, no traffic gets past the modem. The lan ip address scheme on pfSense is 172.16.xx.xx. Comcast lan is set to, so no conflict there. I can ping devices on the nat side of the comcast modem from the negate box. Had comcast switch out the modems, problem still occurs. If I switch pfSense to dhcp, it works, I can get online. Switch back to the static ip and I can't even get to


  • Did you setup DNS (SYSTEM -> General Setup) ?
    Did you uncheck "Block private networks" on WAN interface ?
    Did you create a Gateway (SYSTEM -> Routing) ?
    Can you ping from pfsense or ?

  • the address is for managing the modem and it's also the gateway if you connect a DHCP client to one of the modem's ports.  your firewall's WAN should be set for static and set to your assigned publc IP, gateway and subnet mask.


  • It's possible that the smc gateway isn't setup correctly. For the life of me I can't seem to find the correct settings right now. Try connecting a regular client using your static IP address. Also, IIRC you need to point your gateway to the SMC router's IP address, and NOT the gateway of the router. So if you're using the smc is probably .25 So use for the gateway and not like your router is probably using. If you can't get it to work on a desktop then it's probably a config issue with the router.

  • I did uncheck Block private networks, Gateway was created, could not ping out.

    The firewall's WAN was set to the usable static ip address along with the correct subnet mask which is or ip  address/30.

    I called up comcast and had them make sure that the correct ip address was applied. I can't for the life of me figure out what is wrong because comcast has locked down the smc router.

    This isn't my first pfsense setup even though I am new to the platform. I have no trouble on a Qwest dsl connection.

  • I am working with this setup myself. Further research has told me that in the SMC device (login: cusadmin/highspeed to will require several settings be made on the Firewall screens. Be sure all checkboxes are checked that imply a disabling of routing or translating. There is another sub-screen called something like Absolute Static IP Management that has an appropriate setting that needs looking at.

    Sorry, I am not able to access my SMC device right now, so exact instructions will come later.

    Making these settings will put the SMC into a (euphemistically called) "pass-through" mode (NOT "bridged" as many hardcore networking techs will vociferously explain). In this mode (so I a led to believe), the public IP (static) address will be seen on the SMC's ethernet jacks. I have yet to come to understand how/where the public IP (static) 'gateway' address is used (for me, the public IP gateway address one number less than the public IP).

  • I can kind of explain what's going on with the SMC gateway. Think of it as a router / firewall / modem all in one. Basically the device has several IP addresses assigned to it. IIRC there are actually two real world IPs on the device, one is only seen by comcast on the router's wan port, then there is another real world IP on the routers LAN port. The device routes traffic between these two IPs so you can get your live subnet. There is also a firwall that resides off of the router's lan port, which will do NAT. Both the router LAN and the NAT'ed firewall are live on all 4 ports of the switch. So when you put in the correct information for a static IP address, the pc will find the appropriate gateway and use that to get through the SMC router and to the internet. If you just use a DHCP lease that is handed from the SMC firewall and your traffic flows through that then into the SMC router and to the internet.

    So it would look something like this:

      |                                        |
      /                                      /
            4 PORT SMC SWITCH

    It's kind of neat how it's setup because it is possible to use both static IPs and have clients behind the firewall at the same time. The networks don't really cross but if you had a packet sniffer on your lan it might be possible to see traffic from the other subnet. Obviously if this is a concern you would only use one or the other.

    The other thing that you get is even with having only 1 static IP address you technically get 2, because a /30 gives 4 addresses.

Log in to reply