assign static ip comcast business gateway

How To Configure a Comcast Business Class Static IP Address

This tutorial explains how to configure a Comcast Business Class static IP address to enable remote access to network clients from the Internet. The Comcast Business IP Gateway (SMC8014 or NETGEAR CG3000DCR) is configured for pseudo bridge mode by disabling the normal routing, firewall, NAT and DHCP functions. The Internet-routable static IP address is assigned the Linksys WiFi router WAN interface for remote Internet access to LAN clients.

Remote Internet Access Problem

I was helping a small business setup IP network cameras with the Comcast Business Class cable modem service but ran into a problem with Internet remote access: the DDNS agent in the Linksys WiFi router was showing a 10.1.10.10 (“10 space”) non-Internet routable private IP address . I logged into the Dyn Remote Access account saw the 10.1.10.10 private IP address listed in the Host Services table.

The problem is the Comcast IP Gateway operates in Router Mode and assigns a 10.1.10.x private IP address to the Linksys router WAN interface. My first thought was to request a standard cable modem which operates in Bridge Mode, however Comcast Business does not support static IP addresses on standard cable modems and you must use their Business IP gateway (cable modem/router combo) to get an Internet routable static IP address.

Comcast Business Class Internet will install a NETGEAR CG3000DCR IP Gateway which is a cable modem and router combo that runs a custom firmware load by Comcast. (We originally had an SMC8014 gateway which Comcast replaced with a NETGEAR CG3000DCR when the SMC8014 failed). The Comcast IP Gateway does not support true Bridge Mode as compared to a basic cable modem nor does it provide a simple user menu option to select the “bridge mode | router mode” working mode like some gateways. Remote Internet access to the LAN network clients requires subscribing to Comcast’s Static IP Service and disabling the various Comcast IP Gateway firewall, NAT and DHCP features for the routed equivalent known as “pseudo-bridge mode”. Comcast Customer Support will remotely reconfigure the gateway for you upon request when the Static IP address is activated.

After configuring pseudo-bridge mode the DDNS agent in the Linksys router can now update the Dyn Remote Access service with the Internet routable WAN IP address. Remote Internet access now works with an easy to remember DDNS host name and port forwarding, e.g. https://myhost.homedns.org:443 or the just static IP address, e.g. https://173.xxx.yy.185:443 where the “:443” is the port number to be forwarded by the Linksys router to a particular LAN client.

I called Comcast and subscribed to one (1) static IP address service because a single IP address assigned to the Linksys WRT54GS WiFi router WAN interface would do the job. The sales person said a confirmation e-mail would be sent with the new static IP in 3 to 5 business days. Several days later, an e-mail confirmation arrived with the new IP address, gateway IP, subnet mask, DNS server IPs and instructions to call Comcast Tech Support’s toll free number to active the static IP service. The e-mail was brief and to the point:

Comcast Static IP Block

Comcast offers 1, 5 or 13 usable static IP addresses. “Usable” means the quantity of IP addresses that are available for assignment to your devices. IP subnetting rules require that IP addresses are allocated in blocks of certain fixed sizes. To obtain one (1) useable IP address a /30 CIDR block is allocated. (You can skip the following CIDR block details because the essentials are given in Comcast’s e-mail notice above.)

Comcast Business Static IP Block Assignment: One (1) Customer Usable IP Example

• CIDR Notation: 173.xxx.yyy.184/30
• Network Address (ID): 173.xxx.yyy.184
• Host Addresses: 172.xxx.yyy.185 to .186
• Customer Usable IP(s): 173.xxx.yyy.185 Only one (1) usable IP because the highest host address (.186) is automatically assigned by Comcast to the Business Gateway WAN Internet IP address.
• Network Broadcast Address: 173.xxx.yyy.187
• Subnet Mask: 255.255.255.252

Recall that the Network ID and Broadcast IP addresses cannot be assigned your network hosts (LAN devices). Comcast also assigns the highest usable IP address to the Business gateway WAN interface. Therefore 3 IP addresses in any CIDR block are reserved and not customer usable.

If I had purchased 5 usable static IP addresses for a more complex LAN network application then Comcast would allocate /29 CIDR block:

Comcast Business Static IP Block Assignment: Five (5) Customer Useable IPs Example

• CIDR Notation: 173.xxx.yyy.184/29
• Host Addresses: 172.xxx.yyy.185 to .190
• Customer Usable IP(s): 173.xxx.yyy.185 to .189 Only five (5) usable IP because the highest host address (.190) is automatically assigned by Comcast to the Business Gateway WAN Internet IP address.
• Network Broadcast Address: 173.xxx.yyy.191
• Subnet Mask: 255.255.255.248

The Comcast static IP network diagram for one usable IP address with the NETGEAR CG3000DCR is:

Fluke LinkSprinter Network Tester

I recently had the pleasure of reviewing the Fluke LinkSprinter Network Tester . It automatically tests:

• Power over Ethernet (PoE)
• Ethernet Link and jacks
• DHCP and Static IP Addresses
• Network Gateway
• Internet Connectivity

It’s affordable, easy to use and takes the guesswork out of network test and troubleshooting.

Comcast Static IP Address & Pseudo Bridge Mode

Comcast Business Support (800) 391-3000 can remotely configure the IP gateway for the routed equivalent to Bridge Mode, which disables the DHCP, DNS, NAT, firewall, static routing, filtering, etc. functions. This will allow your firewall/router to provide the LAN DHCP, NAT, port forwarding, VPN, etc. functions under your control.

I noticed both the older SMC8014 and newer NETGEAR CG3000DCR both have the same custom firmware designed by Comcast. See the (circa 2006) Comcast Business IP Gateway User Guide for details which doesn’t include the IPv6 menu options in the latest firmware versions.

The NETGEAR CG3000DCR can be configured for pseudo bridge mode by connecting your computer to a LAN port on the gateway and logging in with a web browser:

• Admin page: http://10.1.10.1
• User name: cusadmin
• Password: highspeed

You’ll be presented with the Comcast Business Gateway Welcome Screen:

Clicking Gateway Summary → Gateway Status displays the Firmware Version, Operating Mode, etc. The Operating Mode will always state “Residential Gateway” as of this writing:

Clicking Gateway Summary → Network will display the Internet and Local network settings. Comcast automatically assigns the highest useable IP address, e.g. 173.xxx.yyy.186, to the Gateway WAN Internet IP Address. Your Static IP Block in CIDR notation (/30) is also displayed:

The pseudo bridge mode configuration settings for the NETGEAR CG3000DCR are as follows with selected screen grabs for the essential settings.

NETGEAR CG3000DCR Pseudo Bridge Mode Configuration Steps

The following steps will configure the CG3000DCR (or the discontinued SMC8014) for pseudo bridge mode by disabling the various Comcast gateway router functions.

• Disable Firewall for True Static IP Subnet Only : Checked This is a critical setting for pseudo-bridge mode.
• Disable Gateway Smart Packet Detection : Checked Smart packet detection was already disabled by Comcast, probably because it often breaks network services.
• Click the apply button to save your changes.

• Port Forwarding: Disable all Port Forwarding rules : Checked
• Port Triggering: Disable all Port Triggering rules : Checked
• Port Blocking: Disable all Port Blocking rules : Checked
• True Static IP Port Management : Disable all rules and allow all inbound traffic through : Checked Note: When “Disable Firewall for True Static IP Subnet Only” is checked (see the previous screen) it will automatically disable True Static IP Port Management if running the newer firmware versions.

Next click:

• Firewall → Web Site Blocking: Enable Web Site Blocking: Unchecked
• Firewall → DMZ: Enable DMZ Host: Unchecked
• Firewall → 1-to-1 NAT: Disable All: Checked Disabling the 1-to-1 NAT is the critical setting for pseudo-bridge mode.

NETGEAR CG3000DCR LAN Settings:

Take care to disable the LAN DCHP option last because it will reset/reboot the gateway!

• LAN → IPv6 : No changes. All settings should be blank or “NA” except “Enable EUI-64 Addressing” is enabled by default.
• LAN → Static Routing : No entries, all fields blank.
• LAN → Filtering: Enable Access Filter : Unchecked
• LAN → Switch Controls : Keep the default settings unless you have reason to disable or configure Ethernet port options.
• Enable LAN DCHP : Unchecked This is a critical setting for pseudo-bridge mode to prevent the Comcast IP Gateway from assigning a 10.0.1.x private IP address to your router’s WAN interface.
• Assign DNS Manually: Don’t care because the DNS server settings will be provided by your LAN router DNS feature. It was checked by default and I left it alone.
• Click the apply button to save your changes. The Comcast Gateway will now reboot.

Note: DHCP and DNS services will be configured in the Linksys WRT router.

The NETGEAR CG3000DCR will reboot after DHCP is disabled and the apply button is clicked:

Linksys Router Static IP Address Configuration

The Comcast provided static IP address, subnet mask and gateway must be configured on the Linksys WRT router to enable Internet access. The configuration is simple by flipping the Internet Connection Type from DHCP to Static IP through these steps:

• Log into the Admin page of the Linksys WiFi router at: http://192.168.1.1 Note: I changed the Linksys Router IP from the factory default 192.168. 1 .1 to 192.168. 2 .1 as a minor security enhancement to make it a little harder for someone searching for the default 192.168.1.x subnet. This is strictly optional.
• Go to the Setup → Basic Setup menu.
• Select Static IP in the Internet Connection Type choice box.
• Fill in the Internet IP Address, Subnet Mask, Default Gateway with the parameters specified in the e-mail from Comcast. e.g. Static 173.xxx.yy.185 (Static IP address for my Linksys router) Gateway 173.xxx.yy.186 (Static IP address of the CG3000DCR gateway) Subnet Mask: 255.255.255.252
• Enter your favorite DNS service IP address values or use the Comcast DNS IPs. I used 8.8.8.8 and 8.8.4.4 for Google DNS and 208.67.222.222 for OpenDNS .
• Click Save Settings .

Linksys Router Dynamic DNS Settings

DDNS isn’t necessary with a static IP address but it does provide a way to configure an easy to remember host name to reach simple LAN clients like an IP camera. If you’re setting up a web server for a domain name you’ll want to subscribe to a DNS service and create DNS Zone records for your Comcast Static IP’s.

This next step assumes you have already created a DDNS Account with Dyn Remote Access and have a DDNS host configured .

Navigate to the Setup → DDNS menu in the Linksys WRT WiFi router. Input your DDNS account user name, password and host name. Click Save Settings and check the DDNS update status which should be “DDNS is updated successfully.” The DDNS service will register the Comcast Static IP address 172.xxx.yyy.185 .

Remote Internet Access to LAN Clients

Port forwarding maps Internet requests from the static IP address to a private LAN IP address to access LAN clients (computers, cameras, etc.) via the DDNS host name and port, e.g. https://myhost.homedns.org:443 or directly with the static WAN IP address of the Linksys router, e.g. https://173.xxx.yyy.185:443. For port forwarding configuration instructions, see this project .

An example port forwarding configuration where unused ports are assigned to the LAN clients to avoid conflicts with other network services:

NETGEAR CG3000DCR Admin GUI Access

In the future if you want to log in to the CG3000DCR (or older SMC8014) gateway:

• Connect your computer to the Linksys router LAN network via WiFi or wired Ethernet cable connection.
• Point your web browser to http://10.1.10.1 to access the CG30000DCR admin page.

Comcast IP Gateway: Configure 10.1.10.x Static IP Address for Windows 7 PC

Note that you will not be able to access the CG3000DCR Admin GUI if your computer is plugged directly into a LAN port on the CG3000DCR (or the older SMC8014) when DHCP is disabled on the Comcast IP gateway because your computer won’t receive a DHCP 10.1.10.x IP address. What you need to do is temporarily assign a 10.1.10.x static IP address to your computer. This is only needed if you can’t connect through the Linksys router.

For Windows 7 the computer private static IP configuration steps are:

• Control Panel → Network and Internet
• Network and Sharing Center
• Change Adapter Settings
• Local Area Connection → (right click menu) Properties

• Internet Protocol Version 4 (TCP/IPv4) → Properties

• Enter 10.1.10.2 or any unused IP address in the 10.1.10.2 to .254 range.
• Subnet mask: 255.255.255.0
• Default Gateway: 10.1.10.1
• Click OK and OK again on both dialog boxes.

You can now point your web browser to http://10.1.10.1 to log into the Comcast IP gateway when DHCP is disabled for pseudo-bridge mode and your PC is connected to a gateway Ethernet LAN port. When you’re finished remember to go back and change your IPv4 properties back to select “ Obtain an IP address automatically “.

Small Office/Home Office (SOHO) Network

See the Ubiquiti EdgeRouter Lite SOHO Network Design project for a small business or advanced home office network complete with firewall, VLANs, WiFi Access Point and OpenVPN remote access.

Happy networking,

Bob Jackson

JeffreyWest

New problem solver

Wednesday, September 16th, 2015 6:00 PM

Static IPs and Router Setup

9 years ago

1.4K Messages

Occasional Visitor

I have the exact situation (except my LAN is 192.168.0.x) and I have read this half a dozen times. The ports that I want to control seem to be OPEN no matter what.

Let me explain.

I have a /29 block. I have a SMCD3G-CCR:

Here are the "default" settings related to firewall:

Before I create any rules in TSIPM,  there should not be any ports opened to my servers inside the LAN, right?

Why is MXTOOLBOX.COM able to see the SMTP port of one of my servers?

Before I have the SMC gateway, I was given a Cisco 3939. It had the same problem. Everytime I called Comcast biz class tech support, they said they don't deal with " customer premises equipment " and kicked me away.

Am I the only one experiencing this? Or the router user interfaces just too confusing for just me? I think I know networking. I had my Cisco CCNP and Checkpoint Firewall certifications a decade ago and worked at a Internet backbone provider. I think I know what IP addressing is.

So many people simply switch their business class gateway to "pseudo bridge mode" and add their own router behind it. Is it because they all experience the same and have given up? Comcast charge us for equipment that don't work and refuse to provide service (because they know they would not solve our problem)? And they don't allow us to use our own equipment?

If you switch the gatway to pseudo bridge mode, what router behind it do you use to allow multiple WAN IP addresses on the WAN interface? I am getting a Sonicwall TZ 105. Anyone has luck with it?

If the above problem is solved and  f I want to use one of the statis IPs to access multiple IP cameras (Port Address Translation - forwarding incoming traffic to the Static IP at port 8001 to 192.168.0.101:80, port 8002 to 192.168.0.102:80, etc).. would it work well with the 1:1 NAT if possible at all? 

Okay derekc, please see my comments below .  Thanks

Not sure what you expect for data processing by disabling ALL ports on ALL your static IP routable devices?! You need to consider using the using the True Static IP Port Management.Block All Ports With the following Exceptions, then add ONLY the ports of whatever the applications you are needing open on each individual routable static IP device (such as 50.XXX.43.90/91/92.93). The way you have it currently configured all routable static IP device(s) ports are ALL blocked , therefore, no incoming data processing activity whatsoever.  So even your NATTing outgoing can process data but no incoming to your routable servers until you open the exact application ports on each of the routable static IP devices.   

Comcast allows all customers to use whatever equipment is required for their business requirements. Psuedo Bridge Mode (i.e. disabling the Comcast Gateway (CG) internal DHCP Server) is good networking practice to avoid any other devices internal DHCP Server coflicts causing inadvertent packet loss. Imho, Comcast provides exceptional service both technical and business on the equipment they provide to customers. However, not all Comcast technical agents have your Cisco CCNP & Checkpoint Firewall certification qualifications, but some do.

If you are referring to "True Bridge Mode (TBM) " and turning the CG into a dumb modem with no routing except to pass WAN addresses to the Firewall, Controlling Router, etc., you must first get rid of your static IP's to implement this networking strategy. When any Industry Standard Gateway is put in TBM then ALL routing is disabled, again, with the only exception of passing the WAN DHCP address to a controlling, security, etc. device, as you know.

I would like to advise you that I have worked with MANY Comcast business customers who have simply used 1 static IP routable address programmed on their DVR Server WAN network interface, physically ethernet interconnected to any CG LanPort, use exactly the current configuration you posted above and just simply insure that port 80 and 8002 is open on the routable static IP DVR server device and it is a done deal.  If you are using an http://DVR-Server-Website-URL:8002, for example, this will work perfectly fine. Hope this helps you out...... 

• Business Internet
• Business Phone
• Business TV
• Cloud Solutions
• Help & Support
• Why Comcast
• Our Network
• Press Releases
• Advertising
• Comcast Business Promise
• Comcast Diversity Equity & Inclusion
• Solution Providers
• Authorized Connectors
• Privacy Policy
• Your Privacy Choices
• Notice At Collection
• Visitor Agreement
• Terms & Conditions
• Open Source
• Comcast RISE

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Use static IPv6 addresses on a router behind a Comcast Business IP Gateway

I recently got set up with Comcast Business Class internet. Previously, I was using DSL with another provider and had a single static IPv4 address (VyOS). Now I want to get Comcast set up.

I purchased a static IP address delegation from Comcast. I have five static IPv4 addresses (96.x.x.168/29, of which 168 and 175 are reserved and 174 is the gateway, so I can only use 169-173, or five addresses) and a static /56 of IPv6 addresses (2603:xxxx:xxxx:8700::/56 with a static gateway of 2603:xxxx:xxxx:8700:7454:7dff:feb1:d391 [link local fe80::7454:7dff:feb1:d391], so I should have full use of 2603:xxxx:xxxx:8700::1 through 2603:xxxx:xxxx:87ff:ffff:ffff:ffff:ffff). You'll notice that the static gateway is within the /56 and, indeed, is within the first /64 prefix of the /56 ... I don't know whether that is important or causing me any problems. IMPORTANT NOTE: Since this is Comcast, and they can't do anything simply, we are not allowed to put the modem/router in "bridge mode." Static IP addresses can only work if the router is in normal mode (but you can turn all of the unneeded DHCP, firewall, WiFi, etc. off, which I did). If I put the modem/router in "bridge mode," it forces me into a single DHCP address, and that is as expected per Comcast documentation. The Comcast equipment is a Cisco type-BWG model-DPC3939B Business IP Gateway. It's readouts show the IPv4 and IPv6 static delegations.

I'm using VyOS as the routing software on my router/firewall (which is plugged in to one of the LAN ports on the BIP Gateway). It's an OSS fork of Vyatta, parallel to Brocade or Ubiquiti.

I had no problem using my static IPv4 addresses. I set up 169 as the outgoing interface for all of my private traffic (no destination NAT, just source nat using 169 as the outdoing address). I set up 170-173 using 1:1 NAT for various public-facing servers behind my firewall. It all works perfectly.

IPv6 has been a disaster. I can't get much to work. If I do the following (pretty simple), I can ping Google (2607:f8b0:4002:c07::66) from VyOS:

This results in:

I can also ping 2603:xxxx:xxxx:8700::1 from a remote server I have access to with known working IPv6. So that's nice, but that is literally the extent of what I can get to work. I can't get IPv6 onto any other machine on the network. I tried interface addresses ending in /56, /60, and /64 with no better results in any of the following scenarios:

As a first example, the address 2603:xxxx:xxxx:8700::1/60 should put everything 2603:xxxx:xxxx:8700::1 through 2603:xxxx:xxxx:870f:ffff:ffff:ffff:ffff in scope of my interface. The default route falls within that range. However, I can only ping Google (and can only ping the address from my remote server) if my address is 2603:xxxx:xxxx:8700::anything/60. 2603:xxxx:xxxx:8700::2/60 works, 2603:xxxx:xxxx:8700::feed/60 works, 2603:xxxx:xxxx:8700:1::1/60 works ... but 2603:xxxx:xxxx:8701::1/60 doesn't work. As soon as I try that, ip -6 route and ping6 tell me that the gateway is "unreachable" and that Google is "unreachable," even though all of those addresses (including the last one) are within the same subnet and as each other and the gateway.

As a second example, I tried setting two addresses on the interface:

This yielded interesting results. ip -6 route says I have a route out through 2603:xxxx:xxxx:8701::1 via 2603:xxxx:xxxx:8700:7454:7dff:feb1:d391 and ping6 no longer says "unreachable," but I never get ping responses. It was easy to determine why. I can ping 2603:xxxx:xxxx:8700::1 from my remote server, but not 2603:xxxx:xxxx:8701::1. Since the route from VyOS to Google is out through 2603:xxxx:xxxx:8701::1, the responses can't route back. Weirdly, if I delete both addresses, commit, and then add them back in reverse order, it magically works:

Now ip -6 route says I have a route out through 2603:xxxx:xxxx:8700::1 via 2603:xxxx:xxxx:8700:7454:7dff:feb1:d391 and, since my pings go out through 2603:xxxx:xxxx:8700::1, ping6 to Google results in successful responses. Great. But 2603:xxxx:xxxx:8701::1 still can't be pinged from the outside world, so I still haven't succeeded in using all of my addresses.

As a third example, since I can at least ping Google from VyOS, I want to assign some static addresses to my internal, publicly-facing servers. I start by adding the address 2603:xxxx:xxxx:8700:92::1/64 to bond0.900 , the interface facing my servers (this prefix should cover everything from 2603:xxxx:xxxx:8700:: to 2603:xxxx:xxxx:8700:ffff:ffff:ffff:ffff). Then I add 2603:xxxx:xxxx:8700:92::173/64 to the interface on one of my servers and set its default gateway to 2603:xxxx:xxxx:8700:92::1. Now, from my server, I can ping 2603:xxxx:xxxx:8700:92::1. Great! But I can't even ping 2603:xxxx:xxxx:8700::1, which is just one step away on the router, and I for sure can't ping Google. If I use monitor interfaces, I can see that the pings to Google are at least making it out of eth1, and I'm just not getting any responses. No surprise there, I suppose, given my troubles above. But I don't even see the pings to 2603:xxxx:xxxx:8700::1 getting to VyOS. But that's not really how I intended to use it, I just thought I had to since I couldn't get anything beyond :8700 to work.

So I tried setting eth1 to 2603:xxxx:xxxx:8700::1/64 (still works for pinging Google from VyOS), setting bond0.900 to 2603:xxxx:xxxx:8792::1/64, and setting the server to 2603:xxxx:xxxx:8792::170/64. Now, the server can ping 2603:xxxx:xxxx:8792::1 AND 2603:xxxx:xxxx:8700::1! This is an improvement! However, I can't ping the gateway (2603:xxxx:xxxx:8700:7454:7dff:feb1:d391) or Google from the server. monitor interfaces shows the traffic going out, but nothing comes back in.

And this is just the beginning of what I need to do. I eventually want to carve out two /64 prefixes for stateless configuration on two private LANs/WLANs, but I'm not even getting to that yet. One thing at a time, I can't even get static IPv6 fully working, or working at all past the first /64 of the static /56 delegated to me. Clearly I'm doing something wrong here, but this also smells bad. Why is this so hard?

• 1 You have not bashed your Comcast account rep over the head with that awful modem they require you to use. I'm a bit surprised that if they are going to mandate you use the equipment that they haven't provided a working configuration. –  Michael Hampton Jan 17, 2018 at 9:12
• Yeah, after much research (and reading many posts like this one: forums.businesshelp.comcast.com/t5/IPV6/… ), It sounds like most of the modems they provide actually don't support IPv6 fully (including the brand new one they gave me in November), and that you have to specially request a modem that isn't on their list to get IPv6 support. (1/2) –  Nick Williams Jan 17, 2018 at 13:12
• It also sounds like NOBODY in Tier 1 support has a clue what IPv6 even is, and I don't feel like spending hours on the phone to then wait days to be called back. So I posted for support help here: forums.businesshelp.comcast.com/t5/IPV6/… –  Nick Williams Jan 17, 2018 at 13:14

You must log in to answer this question.

Browse other questions tagged ipv6 static-ip vyatta brocade vyos ..

• The Overflow Blog
• How do mixture-of-experts layers affect transformer models?
• What a year building AI has taught Stack Overflow
• Featured on Meta
• New Focus Styles & Updated Styling for Button Groups
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network

Hot Network Questions

• PCB Edge connector: nipples on each finger?
• What kind of alien technology would make space colonization viable?
• Resources for understanding non-unitary channels and operators
• What happens if I use a material component of greater value than spell requires?
• What are the best options for watching total or partial solar eclipse during bad weather conditions?
• Shading region under (or over) a curve in horizontal bands
• Is the subscheme parametrizing the k-th degeneracy loci Cohen-Macaulay?
• "The sight of her rendered him speechless." — Why place "her" after nouns? Why not say just "Her sight rendered him speechless."?
• Short story about a patient's OCD keeping the world in order
• Plumbing Issues
• Interpreting the output of badblocks: when is it time to replace the microsd card?
• Ensuring IEEE 754 Compliance and Numerical Precision in C++ HPC Projects
• Why are these 2 sharps ignored?
• ". . . those who feel able to answer this call for help, have a strong cup of coffee and be on your way."
• Network analysis Kirchhoff
• Why isn't Syria treating Israel's attack in Damascus as an open act of war?
• Are there any international laws / treaties that regulate the use of AI to coordinate air strikes?
• Can possessive pronouns ever come on their own after a noun?
• What can I tell a student I am mentoring who claims: "I want to do pure mathematics because it is superior to any other subject in the world"?
• Why do people keep saying 'it is your responsibility' to make sure your supervisor uploads their letter of rec (or similar)?
• In a sci-fi setting with advanced medicine, how can people still have scars and other damages?
• Construct the point with two segments
• Range of OLS regression coefficient when combining disjoint datasets
• A suggestion on how to create a cemetery shapefile to include multiple entries in an attribute table?

Comcast Business Static IPv6 Setup on a UniFi Security Gateway

• #configuration

Thank you to mikehanley from the Comcast Business Support Community Forums for the dhcpv6-pd commands .

Setting up IPv6 on a Comcast Business account is not straightforward if you are not using Comcast’s combined modem-router.

If you are using a UniFi Security Gateway ( SKU: USG ), the following steps are necessary to get IPv6 working:

Assumptions:

• Comcast is providing you a /56 subnet for your IPv6 allocation
• You are using the UniFi web interface to manage your USG through a Cloud Key or Controller installation
• eth0 is your WAN interface

The interactive command-line route

• In Settings > Networks > WAN , set the WAN interface to DHCPv6 with Prefix Delegation Size to 59 ( why 59 instead of 56 )
• Save the new WAN network settings and wait for the USG to provision.
• IPv6 Interface Type: Prefix Delegation
• IPv6 Prefix Delegation Interface: WAN
• IPv6 Prefix ID: 0
• IPv6 RA: Enable IPv6 Router Advertisement
• The rest of the settings can stay default. Set manual DNS servers if you like (e.g. Google DNS)
• Save the LAN network settings and wait for the USG to provision.
• set interfaces ethernet eth0 dhcpv6-pd prefix-only
• set interfaces ethernet eth0 dhcpv6-pd rapid-commit disable
• Unplug the network cable from the WAN interface, wait a few seconds, and plug the network back into the USG WAN interface.

Now the USG should be provisioning/handing out IPv6 addresses to devices on the LAN network.

The config.gateway.json route

Add the following to your config.gateway.json file under the eth0 entry/level:

So, for example, the eth0 section of your config.gateway.json file might look like the following (maybe more, depending on what you have already configured):

For the config.gateway.json approach, remember to force provision the USG from the UniFi controller interface after saving the config.gateway.json file ( Devices > USG > Config > Manage Device > Force provision > "Provision" button ).

Static Addressing (unconfirmed)

Addition ( unconfirmed ): It may be possible to configure the Comcast modem/router device to run in “bridged mode” and set a static IPv6 address on the USG and its child networks. (see: Comcast Business Support Community Forum post by sparky04cr )

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode .

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Configure Comcast static IP on WAN

• Oldest to Newest
• Newest to Oldest
• Reply as topic

Our Comcast Business static IP and the pfSense WAN do not like each other. When we use DHCP, comcast assigns us an IP which connects to the internet. When I try configuring it to the static address, our internet connection fails. Here's what I'm doing.

Desired static IP: 50.a.b.49 Gateway: 50.a.b.50 Subnet mask: 255.255.255.252

In pfSense I go to Interfaces -> WAN and make these changes:

IPv4 Configuration Type: Static IPv4.

IPv6 Configuration Type: Leave it DHCP6

IPv4 Address: 50.a.b.49 /30

Click Add New Gateway

Gateway IPv4: 50.a.b.50

I don't change anything else. I save the change and reboot pfSense device. When it finishes, I cannot connect to the internet.

What am I doing wrong?

@accidentalit

Maybe related to https://redmine.pfsense.org/issues/12632 ?

Lex parsimoniae

It could be that although the ticket suggest setting via the gui works OK.

Why are you trying to set it statically to the same IP the DHCP server is giving you though? Are you sure it's not a static lease and needs to be assigned via DHCP in order to route traffic to you?

@stephenw10 The DHCP IP that Comcast assigns us is different, 73.c.d.51.

Ah OK, and they have instructed you to just set it? It's not an IP they route to you via the DHCP IP?

If so set it again then run ifconfig against the WAN interface from the command line to check it's actually set correctly. Then check Diag > Routes to be sure it's using the new gateway correctly.

If those things are in place though it can only be that Comcast is not routing the traffic to you.

I also have a Comcast static IP, so I'm guessing the setup is similar to mine.

The things that come to mind are...

For IPv6 Type, I have "None". You might want to set that for now, just to get IPv4 working.

After your gateway is created, go back to the Interfaces -> WAN page and make sure that the new gateway is actually set in the "IPv4 Upgrade Gateway" option in the Static IPv4 Configuration setction.

How are you testing if you have Internet access? Are you using a web browser on a PC? Do you have DNS setup correctly? You can verify internet access from the pfSense box by going to Diagnostics -> Ping and trying to ping 1.1.1.1 (Don't ping a hostname, use an IP address, just to validate it's working without relying on DNS.)

@serbus I have the latest prod release Netgate pfSense Plus 21.05.2-RELEASE (arm64). How does that relate to pfSense 2.5.2 mentioned in the article?

@accidentalit can you connect with a rj45 cable directly to the Comcast router with a laptop that is set to dhcp and run ipconfig in dos/Windows or ifconfig if you use Unix/Linux. Just to see if it can issue ip addresses to devices in ipv6 or ipv4 if you get 169 it's not handing out IP addresses. Is this modem a all in one? What model Comcast modem are you using?

Make sure to upvote

• I've set IPv6 to None. On the LAN side I've also turned off IPv4 and IPv6 DHCP server. Our domain controller handles DHCP.
• If I try saving the new gateway in System > Routing > Gateways before trying to switch the WAN IP to static, I get an error that the gateway address 50.199.13.50 does not lie within one of the chosen interface's subnets.
• I'm testing from a client trying to browse to google and pinging 8.8.8.8.

This morning, after doing the above, tried changing the WAN to static, creating the gateway during the creation. When it was saved, I could not reach the internet from a browser or using ping on a client. I did not try doing the ping from within pfSense. Interestingly enough, Windows 10 network icon claimed that I did have internet access, but nothing that I did could reach the internet, google.com or 8.8.4.4. Windows on several of our computers claimed it had internet access, but nothing worked.

Now if Comcast has assigned us these static IP's:

• Static IP Range: 50.199.13.49 - 50.199.13.49
• CIDR Block Number: 50.199.13.48/30
• Gateway IP Address: 50.199.13.50
• Subnet Mask IP Address: 255.255.255.252

Should I be able to ping any of them when I still have not gotten the static IP assigned to my WAN port? None of them ping for me. Could this be related to my problem?

Can anyone recommend a pfSense guru in the south Seattle area that we could hire to get this thing working? For this project I'm merely a volunteer that only marginally knows what I'm doing.

I apologize My day job is Friday thru Tuesday and doesn't leave me a lot of time to have fun with computers.

@accidentalit hello don't get discouraged, you should try some YouTube videos on doing configuration on this. Netgate also has a support number. I love my Netgate I just got the URL blacklist running today amazing technology.

Network address translation NAT might be what you need to research more on. Lan side should be handing out private IP addresses with DHCP however they need to be NATed over to the public IP (Comcast IP) so they can communicate.

Side note, This link below is one of my favorite guides for the proxy side. There is another one for Squidguard.

It-monkey. Configure pfSense as HTTPS \ SSL Proxy filter using Squid and SquidGuard! (n.d.). Retrieved January 7, 2022, from https://forum.it-monkey.net/index.php?topic=23.0

Tech glossary. Computer Dictionary of Information Technology. (n.d.). Retrieved January 7, 2022, from https://www.computer-dictionary-online.org/glossary.html

Tech glossary might help you I don't know your experience level, if you want to understand some terms better. pfSense has everything in it a glossary is handy sometimes. It's like any profession it has it's own language at times.

In my case, I am able to ping my modem (the 50.199.13.50 address in your case). I did have to log into my modems web page and disable all the firewalls check the options for "true static IP". It's basically puts the modem in as close to bridge mode as Comcast will allow for a static IP configuration. It might help if you post some screen shots of the modem setup and also the pfSense WAN and Gateway setup pages. (You can blur out the first 3 octets if you don't want to show the real IP's.)

@accidentalit said in Configure Comcast static IP on WAN :

Static IP Range: 50.199.13.49 - 50.199.13.49 CIDR Block Number: 50.199.13.48/30 Gateway IP Address: 50.199.13.50 Subnet Mask IP Address: 255.255.255.252

If they have assigned you those IPs you should just be able to enter them in pfSense and it will work. There's nothing else you can do in pfSense to make that work. If it's not working it's with the Comcast modem that isn't configured to use it or Comcast is not routing that subnet to you.

It sounds like your connection is configured for a dynamic IP and hasn't been reconfigured as static yet.

• First post Last post Go to my next post

Getting Started

Your Home Network

Regular Visitor

Saturday, January 9th, 2021 11:00 AM

Assigning static IP to a device

3 years ago

Frequent Visitor

16 Messages

Contributor

909 Messages

Problem Solver

947 Messages

I can confirm that all you need to do is add a one word comment in the comment box. I was getting this failure as well and VPUNITAS1's comment is correct.

@VPUNITAS1   @sdfhgsdf : you just posted this literally four hours ago. I was hoping for the best, tried it, but doesn't work for me (though it seems EXACTLY like the kind of stupid thing Comcast routers would have built in).

Did you have to reboot the router (either hard reset or through the system)? Or is there some other step I'm missing? I'm certain that I don't have anything else assigned. It's within the 10.0.02-10.0.025X (can't remember high #) reserved addresses, which has always been, to my understanding, the way to do this (tho some ppl above seem to imply the contrary).

Thanks! 

Yep, a single-word comment is the trick. 0 words fails, 2+ words fail. 1 word is what's required. That is silly and utterly frustrating that they don't include that pivotal fact in the error message.

New to the Community?