How To Configure a Comcast Business Class Static IP Address

This tutorial explains how to configure a Comcast Business Class static IP address to enable remote access to network clients from the Internet. The Comcast Business IP Gateway (SMC8014 or NETGEAR CG3000DCR) is configured for pseudo bridge mode by disabling the normal routing, firewall, NAT and DHCP functions. The Internet-routable static IP address is assigned the Linksys WiFi router WAN interface for remote Internet access to LAN clients.

Remote Internet Access Problem

I was helping a small business setup IP network cameras with the Comcast Business Class cable modem service but ran into a problem with Internet remote access: the DDNS agent in the Linksys WiFi router was showing a 10.1.10.10 (“10 space”) non-Internet routable private IP address. I logged into the Dyn Remote Access account saw the 10.1.10.10 private IP address listed in the Host Services table.

The problem is the Comcast IP Gateway operates in Router Mode and assigns a 10.1.10.x private IP address to the Linksys router WAN interface. My first thought was to request a standard cable modem which operates in Bridge Mode, however Comcast Business does not support static IP addresses on standard cable modems and you must use their Business IP gateway (cable modem/router combo) to get an Internet routable static IP address.

Comcast Business Class Internet will install a NETGEAR CG3000DCR IP Gateway which is a cable modem and router combo that runs a custom firmware load by Comcast. (We originally had an SMC8014 gateway which Comcast replaced with a NETGEAR CG3000DCR when the SMC8014 failed). The Comcast IP Gateway does not support true Bridge Mode as compared to a basic cable modem nor does it provide a simple user menu option to select the “bridge mode | router mode” working mode like some other gateways (see the Admin Guide link at that page). Remote Internet access to the LAN network clients requires subscribing to Comcast’s Static IP Service and disabling the various Comcast IP Gateway firewall, NAT and DHCP features for the routed equivalent known as “pseudo-bridge mode”. Comcast Customer Support will remotely reconfigure the gateway for you upon request when the Static IP address is activated.

After configuring pseudo-bridge mode the DDNS agent in the Linksys router can now update the Dyn Remote Access service with the Internet routable WAN IP address. Remote Internet access now works with an easy to remember DDNS host name and port forwarding, e.g. https://myhost.homedns.org:443 or the just static IP address, e.g. https://173.xxx.yy.185:443 where the “:443″ is the port number to be forwarded by the Linksys router to a particular LAN client.

How To Configure a Comcast Business Class Static IP Address

I called Comcast and subscribed to one (1) static IP address service for $14.95/month because a single IP address assigned to the Linksys WRT54GS WiFi router WAN interface would do the job. The sales person said a confirmation e-mail would be sent with the new static IP in 3 to 5 business days. Several days later, an e-mail confirmation arrived with the new IP address, gateway IP, subnet mask, DNS server IPs and instructions to call Comcast Tech Support’s toll free number to active the static IP service. The e-mail was brief and to the point:

Dear Customer,
Below is the Static IP information for Account # xxxxxxxxxxxxxx
Static 173.xxx.yy.185 (Static IP address for my Linksys router)
Gateway 173.xxx.yy.186 (Static IP address of the CG3000DCR or SMC8014 gateway)
Subnet Mask: 255.255.255.252
Primary DNS: 68.87.68.162
Secondary DNS 68.87.74.162
Note: Static IP's will not be active/available until the file is downloaded
to your gateway. Please call Tech Support...800.391.3000 or reply to this
email when you want to make the change.

Comcast Static IP Block

Comcast offers 1, 5 or 13 usable static IP addresses. “Usable” means the quantity of IP addresses that are available for assignment to your devices. IP subnetting rules require that IP addresses are allocated in blocks of certain fixed sizes. To obtain one (1) useable IP address a /30 CIDR block is allocated. (You can skip the following CIDR block details because the essentials are given in Comcast’s e-mail notice above.)

Comcast Business Static IP Block Assignment: One (1) Customer Usable IP Example

  • CIDR Notation: 173.xxx.yyy.184/30
  • Network Address (ID): 173.xxx.yyy.184
  • Host Addresses: 172.xxx.yyy.185 to .186
  • Customer Usable IP(s): 173.xxx.yyy.185
    Only one (1) usable IP because the highest host address (.186) is automatically assigned by Comcast to the Business Gateway WAN Internet IP address.
  • Network Broadcast Address: 173.xxx.yyy.187
  • Subnet Mask: 255.255.255.252

Recall that the Network ID and Broadcast IP addresses cannot be assigned your network hosts (LAN devices). Comcast also assigns the highest useable IP address to the Business gateway WAN interface. Therefore 3 IP addresses in any CIDR block are reserved and not customer useable.

If I had purchased 5 useable static IP addresses for a more complex LAN network application then Comcast would allocate /29 CIDR block:

Comcast Business Static IP Block Assignment: Five (5) Customer Useable IPs Example

  • CIDR Notation: 173.xxx.yyy.184/29
  • Network Address (ID): 173.xxx.yyy.184
  • Host Addresses: 172.xxx.yyy.185 to .190
  • Customer Usable IP(s): 173.xxx.yyy.185 to .189
    Only five (5) usable IP because the highest host address (.190) is automatically assigned by Comcast to the Business Gateway WAN Internet IP address.
  • Network Broadcast Address: 173.xxx.yyy.191
  • Subnet Mask: 255.255.255.248

The Comcast static IP network diagram for one usable IP address with the NETGEAR CG3000DCR is:

Comcast Business Class Static IP Network Diagram for Pseudo Bridge Mode

Comcast Business Class Static IP Network Diagram for Pseudo Bridge Mode

Fluke LinkSprinter Network Tester

I recently had the pleasure of reviewing the Fluke LinkSprinter Network Tester. It automatically tests:

  • Power over Ethernet (PoE)
  • Ethernet Link and jacks
  • DHCP and Static IP Addresses
  • Network Gateway
  • Internet Connectivity

It’s affordable, easy to use and takes the guesswork out of network test and troubleshooting.

Fluke LinkSprinter 200 Network Tester

Comcast Static IP Address & Pseudo Bridge Mode

Comcast Business Support (800) 391-3000 can remotely configure the IP gateway for the routed equivalent to Bridge Mode, which disables the DHCP, DNS, NAT, firewall, static routing, filtering, etc. functions. This will allow your firewall/router to provide the LAN DHCP, NAT, port forwarding, VPN, etc. functions under your control.

I noticed both the older SMC8014 and newer NETGEAR CG3000DCR both have the same custom firmware designed by Comcast. See the (circa 2006) Comcast Business IP Gateway User Guide for details which doesn’t include the IPv6 menu options in the latest firmware versions.

The NETGEAR CG3000DCR can be configured for pseudo bridge mode by connecting your computer to a LAN port on the gateway and logging in with a web browser:

  • Admin page: http://10.1.10.1
  • User name: cusadmin
  • Password: highspeed
Comcast Business IP Gateway Login 10.1.10.1

Comcast Business IP Gateway Login 10.1.10.1

You’ll be presented with the Comcast Business Gateway Welcome Screen:

Comcast Business IP Gateway - Feature Settings

Comcast Business IP Gateway – Feature Settings

Clicking Gateway Summary → Gateway Status displays the Firmware Version, Operating Mode, etc. The Operating Mode will always state “Residential Gateway” as of this writing:

Comcast Business IP Gateway - Status

Comcast Business IP Gateway – Status

Clicking Gateway Summary → Network will display the Internet and Local network settings. Comcast automatically assigns the highest useable IP address, e.g. 173.xxx.yyy.186, to the Gateway WAN Internet IP Address. Your Static IP Block in CIDR notation (/30) is also displayed:

Comcast Business IP Gateway - Internet Settings

Comcast Business IP Gateway – Internet Settings

The pseudo bridge mode configuration settings for the NETGEAR CG3000DCR are as follows with selected screen grabs for the essential settings.

NETGEAR CG3000DCR Pseudo Bridge Mode Configuration Steps

The following steps will configure the CG3000DCR (or the discontinued SMC8014) for pseudo bridge mode by disabling the various Comcast gateway router functions.

  • Firewall → Firewall Options

    • Disable Firewall for True Static IP Subnet Only: Checked
      This is a critical setting for pseudo-bridge mode.
    • Disable Gateway Smart Packet Detection: Checked
      Smart packet detection was already disabled by Comcast, probably because it often breaks network services.
    • Click the apply button to save your changes.
Comcast Business IP Gateway - Firewall Options for Pseudo Bridge Mode with Static IP

Comcast Business IP Gateway – Firewall Options for Pseudo Bridge Mode with Static IP

Next click

  • Firewall → Firewall Port Configuration
    • Port Forwarding: Disable all Port Forwarding rules: Checked
    • Port Triggering: Disable all Port Triggering rules: Checked
    • Port Blocking: Disable all Port Blocking rules: Checked
    • True Static IP Port Management:
      Disable all rules and allow all inbound traffic through: Checked
      Note: When “Disable Firewall for True Static IP Subnet Only” is checked (see the previous screen) it will automatically disable True Static IP Port Management if running the newer firmware versions.
    • Click the apply button to save your changes.
Comcast Business IP Gateway - Firewall - Port Configuration - Port Triggering

Comcast Business IP Gateway – Firewall – Port Configuration – Port Triggering

Next click:

  • Firewall → Web Site Blocking: Enable Web Site Blocking: Unchecked
  • Firewall → DMZ: Enable DMZ Host: Unchecked
  • Firewall → 1-to-1 NAT: Disable All: Checked
    Disabling the 1-to-1 NAT is the critical setting for pseudo-bridge mode.
  • Click the apply button to save your changes.
Comcast Business IP Gateway - Pseudo Bridge Mode for Static IP - Disable 1-to-1 NAT

Comcast Business IP Gateway – Pseudo Bridge Mode for Static IP – Disable 1-to-1 NAT

NETGEAR CG3000DCR LAN Settings:

Take care to disable the LAN DCHP option last because it will reset/reboot the gateway!

  • LAN → IPv6: No changes.
    All settings should be blank or “NA” except “Enable EUI-64 Addressing” is enabled by default.
  • LAN → Static Routing: No entries, all fields blank.
  • LAN → Filtering: Enable Access Filter: Unchecked
  • LAN → Switch Controls: Keep the default settings unless you have reason to disable or configure Ethernet port options.
  • LAN → IP Setup
    • Enable LAN DCHP: Unchecked
      This is a critical setting for pseudo-bridge mode to prevent the Comcast IP Gateway from assigning a 10.0.1.x private IP address to your router’s WAN interface.
    • Assign DNS Manually: Don’t care because the DNS server settings will be provided by your LAN router DNS feature. It was checked by default and I left it alone.
  • Click the apply button to save your changes.
    The Comcast Gateway will now reboot.

Note: DHCP and DNS services will be configured in the Linksys WRT router.

Comcast Business IP Gateway - Disable LAN DHCP for Pseudo Bridge Mode with Static IP

Comcast Business IP Gateway – Disable LAN DHCP for Pseudo Bridge Mode with Static IP

The NETGEAR CG3000DCR will reboot after DHCP is disabled and the apply button is clicked:

Comcast Business IP Gateway - Device Reset

Comcast Business IP Gateway – Device Reset

Linksys Router Static IP Address Configuration

The Comcast provided static IP address, subnet mask and gateway must be configured on the Linksys WRT router to enable Internet access. The configuration is simple by flipping the Internet Connection Type from DHCP to Static IP through these steps:

  1. Log into the Admin page of the Linksys WiFi router at: http://192.168.1.1
    Note: I changed the Linksys Router IP from the factory default 192.168.1.1 to 192.168.2.1 as a minor security enhancement to make it a little harder for someone searching for the default 192.168.1.x subnet. This is strictly optional.
  2. Go to the Setup Basic Setup menu.
  3. Select Static IP in the Internet Connection Type choice box.
  4. Fill in the Internet IP Address, Subnet Mask, Default Gateway with the parameters specified in the e-mail from Comcast. e.g.
    Static 173.xxx.yy.185 (Static IP address for my Linksys router)
    Gateway 173.xxx.yy.186 (Static IP address of the CG3000DCR gateway)
    Subnet Mask: 255.255.255.252
  5. Enter your favorite DNS service IP address values or use the Comcast DNS IPs.
    I used 8.8.8.8 and 8.8.4.4 for Google DNS and 208.67.222.222 for OpenDNS.
  6. Click Save Settings.
Linksys WRT54GL Setup for Comcast Business Static IP

Linksys WRT54GL Setup for Comcast Business Static IP

Linksys Router Dynamic DNS Settings

DDNS isn’t necessary with a static IP address but it does provide a way to configure an easy to remember host name to reach simple LAN clients like an IP camera. If you’re setting up a web server for a domain name you’ll want to subscribe to a DNS service and create DNS Zone records for your Comcast Static IP’s.

This next step assumes you have already created a DDNS Account with Dyn Remote Access and have a DDNS host configured.

Navigate to the Setup → DDNS menu in the Linksys WRT WiFi router. Input your DDNS account user name, password and host name. Click Save Settings and check the DDNS update status which should be “DDNS is updated successfully.” The DDNS service will register the Comcast Static IP address 172.xxx.yyy.185.

Linksys WRT54GL DDNS Client Setup

Linksys WRT54GL DDNS Client Setup

Remote Internet Access to LAN Clients

Port forwarding maps Internet requests from the static IP address to a private LAN IP address to access LAN clients (computers, cameras, etc.) via the DDNS host name and port, e.g. https://myhost.homedns.org:443 or directly with the static WAN IP address of the Linksys router, e.g. https://173.xxx.yyy.185:443. For port forwarding configuration instructions, see this project.

An example port forwarding configuration where unused ports are assigned to the LAN clients to avoid conflicts with other network services:

Linksys WRT54GL Port Forwarding

Linksys WRT54GL Port Forwarding

NETGEAR CG3000DCR Admin GUI Access

In the future if you want to log in to the CG3000DCR (or older SMC8014) gateway:

  • Connect your computer to the Linksys router LAN network via WiFi or wired Ethernet cable connection.
  • Point your web browser to http://10.1.10.1 to access the CG30000DCR admin page.

Comcast IP Gateway: Configure 10.1.10.x Static IP Address for Windows 7 PC

Note that you will not be able to access the CG3000DCR Admin GUI if your computer is plugged directly into a LAN port on the CG3000DCR (or the older SMC8014) when DHCP is disabled on the Comcast IP gateway because your computer won’t receive a DHCP 10.1.10.x IP address. What you need to do is temporarily assign a 10.1.10.x static IP address to your computer. This is only needed if you can’t connect through the Linksys router.

Comcast Business IP Gateway - Computer 10.1.10.x Static IP Config

Comcast Business IP Gateway – Computer 10.1.10.x Static IP Config

For Windows 7 the computer private static IP configuration steps are:

  • Control Panel → Network and Internet
  • Network and Sharing Center
  • Change Adapter Settings
  • Local Area Connection (right click menu) Properties
Windows 7 - LAN Connection Properties

Windows 7 – LAN Connection Properties

  • Internet Protocol Version 4 (TCP/IPv4) Properties
Windows 7 - LAN Connection Properties for IPv4

Windows 7 – LAN Connection Properties for IPv4

  • Click Use the following IP address:
    • Enter 10.1.10.2 or any unused IP address in the 10.1.10.2 to .254 range.
    • Subnet mask: 255.255.255.0
    • Default Gateway: 10.1.10.1
    • Click OK and OK again on both dialog boxes.
Windows 7 - Configure LAN Static IP Address

Windows 7 – Configure LAN Static IP Address

You can now point your web browser to http://10.1.10.1 to log into the Comcast IP gateway when DHCP is disabled for pseudo-bridge mode and your PC is connected to a gateway Ethernet LAN port. When you’re finished remember to go back and change your IPv4 properties back to select “Obtain an IP address automatically“.

Happy networking,

Bob Jackson

Copyright © 2014 HandymanHowTo.com   Reproduction strictly prohibited.

RedditEmailShare

, , , , , , , , , , , , ,

70 Responses to How To Configure a Comcast Business Class Static IP Address

  1. Evan Pols August 30, 2011 at 6:03 pm #

    This appears to be exactly the sort of information I’m looking for. I have to put one of these in Bridged mode in a few days to use my third party firewall, and this looks like an awesome summary. Thank you!

  2. Nick Clark July 9, 2012 at 5:09 pm #

    So nice to see this :-) I ran into a SMCD3G but the sale principles applied. I thought I had originally setup the modem to perform true/clean bridge mode but something wasn’t right when I was port scanning it…seeing a different public address than what was configured in my SonicWALL. Anyway, I matched the setup w/ exception to my own public ip’s and it finally put me into true bridge mode. Thanks for your time Bob!

  3. Desperate July 13, 2012 at 1:33 pm #

    All real good information but I still can not connect my back office to my store where my db is.
    I’ve turned everything off but for port forwarding rules, entered my info from BO and no connection. Comcast could care less, all they care about is that I have internet service.
    I need a tech(with experience) in the Fort Lauderdale area to contact me.
    rakutner@hotmail.com

    • Bob Jackson July 13, 2012 at 11:11 pm #

      Can you provide a network diagram of your LAN with servers and applications? I realize this is sensitive info. You can e-mail me at the About page.

      The Mobotix network camera project sits behind the Comcast cable modem / router. It should be comparable to your network in concept.

  4. Scott Castro August 14, 2012 at 9:59 am #

    Excellent article. Thank you so much. You helped me avoid dealing with the sometimes frustratingly ignorant Comcast Tier 1 support. Of course I used a different device than the Linksys router but the modem setup was right on the money. Thanks again.

  5. Tim Nelson October 13, 2012 at 12:16 am #

    Hey Bob, nice wiki – well done.
    Question, why would you need ddns if you have a static IP address?
    Another question I have; is it possible to do the same concept, with a public DHCP address from Comcast (business class)?

    What I want to do, is use the public IP address assigned to my SMC, and keep it registered with my web address pointed to dnsexit’s ddns servers. That being said, I wouldnt need a static IP, since I could continue to reference my domain name.

    If I do this, is it possible to set the config on the SMC like you did, and on my Cisco WRVS4400N configure it to point to my SMC(without using a public static IP)?

    Basically I am trying to just trying to set up a IPSEC VPN to my SMC via domain name->DDNS -> Port Forwarded to the static LAN IP on my WRVS4400N.
    Can you set up the WRVS4400N as a router instead of a gateway and do this? I have tried everything.
    Thanks!

    • Bob Jackson October 13, 2012 at 2:11 pm #

      > Question, why would you need ddns if you have a static IP address?
      This project example is one of several similar networks at different locations, some are served by DSL modems and other sites by residential class cable modems that only have dynamic WAN IP addresses. For consistency, I configured all the networks with DDNS. DDNS also makes it easier to remember the host name when typing in the URL versus a numeric IP static address. While I normally bookmark the URLs, sometimes I’m at a new computer or tablet and have to type in the URL from memory.

      > is it possible to do the same concept, with a public DHCP address from Comcast (business class)
      That was my first approach only to learn that Comcast’s Business Class DHCP IP addresses are not publicly routable. This is the “Remote Internet Access Problem” described at the beginning of the project. The only solution for Business Class service is to subscribe to a static IP address from Comcast. The Business Class public IP address cost is something like $15/month last time I checked.

      Note that Comcast Residential cable modem service with DHCP addresses are publicly routable and the DDNS service works great for remote access to your home network. I’m a Comcast subscriber and DDNS works great for my home network.

  6. PJ Dale October 29, 2012 at 10:57 am #

    Hi Bob, great job and easy to understand.

    Does comcast have a better modem that i can ask for?

    How will I set up this modem with a cisco small business modem wit VPN.

    I would like to set up the VPN so I can dial from home.

    I have 1 static Ip address.

    • Bob Jackson October 29, 2012 at 6:05 pm #

      > Does Comcast have a better modem that i can ask for?
      You will need to ask Comcast if other cable modem options are available in your area.

      > How will I set up this modem with a cisco small business modem with VPN?
      VPN configuration is outside the scope of this tutorial. A Google search for “cisco vpn setup” should get you started.

  7. NICOLE HESS December 28, 2012 at 8:14 am #

    I have read this article because it mirrors what I’m trying to do at a remote site for our business. I have had Comcast put my smc gateway in the equivalent of “bridge mode” and tried to set my linksys router wrt150n which is behind the modem with the Comcast info to allow it to hand out DHCP so I can port forward or simply put a static ip on a HP4250 printer and add it to my network at corporate,to no avail. My router stops accessing the internet when i save the settings if i set it while its connected to the SMC, and if I unplug and then set it and save , when I plug it back in I get the private ip addresses like 10.1.10.1 … assigned. I’m new to networking and my boss is getting mad I cant do something simple like get a printer printing at a remote site, I’m at my wits end. Please help.

    • BobJackson December 28, 2012 at 10:01 am #

      Hi Nicole,
      This forum isn’t for general IT Support, but I’ll try to help.

      Based on your description where the SMC is handing out a 10.x.x.x LAN IP addresses to the Linksys router, I makes me think you are not subscribed to the Comcast Static IP address service. A static IP address is an optional service for an extra fee. Please confirm that you have a static IP address with Comcast.

      Assuming you have purchased a static IP address from Comcast, the next troubleshooting steps are go back to the basics:
      * Make a simple network diagram with your IP addresses and subnets as shown above.
      * Review the SMC router configuration with Comcast Support.
      * Do a factory reset on the Linksys router and configure it from scratch. Your computer should be plugged directly into the Linksys LAN port for this step. Power cycle the Linksys so it’s synched with the SMC gateway. Verify you can access the Internet from your computer.
      * I would assign a static LAN IP address to the printer behind the Linksys as per the “Remote Internet Access to LAN Clients” topic. DDNS isn’t needed with a WAN static IP address, but it does make it possible to give the printer an easy to remember host name.

      Take care,
      Bob

  8. Patrick January 30, 2013 at 1:55 am #

    Bob—just wanted to say thanks for this article. I was having this exact problem with my AirPort Extreme and my new Comcast internet service, and your instructions worked flawlessly (and undoubtedly saved me a bunch of time and grief dealing with Comcast tech support). Many thanks for sharing this.

  9. Eric GM February 1, 2013 at 1:06 pm #

    Hi Bob.

    A year and a half later, this article is still helpful. We’ve put an embarrassing number of hours into trying to deploy a Netgear firewall under a Comcast setup like this. It’s still in process, but the answer we’re getting now is that it doesn’t work because the SMC is not in true bridge mode (and that doing so brings down the entire network until the firewall works properly). We’ve had various accounts of what true bridge mode means, so this is a chance to implement that scenario. Trying it this evening…

    • BobJackson February 1, 2013 at 1:45 pm #

      Let me know about your success. Thanks!

  10. Shon Gale February 25, 2013 at 4:28 pm #

    Love your article.
    I have an SMC 8014 from ComCast with 5 static ip’s. I have a NETIS ST3123 8 port 1GB router and a D-LINK DI-604.
    Once I have Comcast set my modem to bridge mode, is there anything else I need to do to assign a static ip to each router?
    Can I add another D-LINK wireless router to another one of the ip’s?
    Any info you can tell me or pitfalls to watch out for would be a great help.

    • BobJackson February 25, 2013 at 9:09 pm #

      Hi Shon,
      The NETIS ST3123 is a switch, not a router. It’s only for connecting LAN clients to the router.

      The D-Link DI-604 router doesn’t support the Comcast static public IP addresses on LAN clients, so what you’re probably thinking won’t work:
      Comcast — SMC8014 — D-Link router — NETIS switch -X- LAN clients with static public IPs

      The D-Link DI-604 will NAT between it’s Comcast static public WAN IP and the private LAN IPs, so you won’t be able to reach your connected devices from the Internet.

      What will work is:
      Comcast — SMC8014 Port 1 — D-Link router #1 — NETIS switch — LAN clients with private IPs
      Comcast — SMC8014 Port 2 — D-Link router #2 — LAN clients with private IPs
      Comcast — SMC8014 Port 3 — single device (computer, web server, NAS, camera, etc.) with a public static IP
      Comcast — SMC8014 Port 4 — single device (computer, web server, NAS, camera, etc.) with a public static IP

      where [Comcast -- SMC8014 Port X] refers to the same SMC8014 gateway.

      The reason that devices assigned a Comcast static public IP address must be connected to a SMC8014 LAN port is because Comcast will route the static public IPs for you.

      If you’ve actually bought 5 assignable static public IP addresses from Comcast, you’ll notice you’ve run out of ports on the SMC8014 since you have 5 usable IP addresses but only 4 LAN ports on the SMC8014. Not a problem, hookup your network as so:
      Comcast — SMC8014 Port 1 — NETIS switch — 2 devices with static public IP addresses
      Comcast — SMC8014 Port 2 — D-Link router #1 — (another Ethernet switch) — LAN clients with private IPs
      Comcast — SMC8014 Port 3 — D-Link router #2 — LAN clients with private IPs
      Comcast — SMC8014 Port 4 — single device (computer, web server, NAS, camera, etc.) with a public static IP

      The NETIS switch is “transparent” to the SMC8014 and your public static IP devices will be routed correctly by Comcast.

      To be more precise, you can connect 1 to 5 devices with static public IP address to the switch:
      Comcast — SMC8014 Port 1 — NETIS switch — 1 to 5 devices with static public IP addresses

      BTW – It doesn’t matter which LAN port # you connect the devices to on the SMC8014, they all work the same.

      Take care that devices with static public IP addresses will be visible to the entire Internet (worldwide) and vulnerable to hacking. Change all default logins and use strong credentials, disable all unnecessary services, run an anti-virus/firewall on all computers and servers, plus any other security measures supported by the various devices. Your devices will be probed and hacked in minutes if left unsecured.

  11. TCCrab March 12, 2013 at 7:06 pm #

    Bravo!!
    Wish I had found this article about three weeks ago.
    Would have saved me a *LOT* of frustration.
    *sigh*
    Too bad the Comcast Tech Support people don’t know about this stuff, or perhaps they do know and won’t share the information.
    I had been hosting a domain and serving my own emails while a Comcast Home Broadband User.
    They found out (after 9 years, took ‘em long enough) and they blocked my Port 25 (SMTP). and Port 80 (HTTP).
    I called and confessed my sins and begged for absolution by upgrading to Comcast Business Class.
    They installed the business class cable modem and still no emails.
    Multiple calls to tech support with no joy.
    Even their tier 2 support weren’t able to get it back up.
    Upon further investigation I found that they had installed a “Gateway” and not just a simple cable modem.
    That “Gateway” doubles as a router.
    Now that i knew what I was up against, a quick search using:
    “How To Configure A Comcast Business Class Static IP address” and VIOLA!!
    The answer I needed.
    Thank you HandyManHowToGuy!!!!

    TomC
    Folsom, CA

    • BobJackson March 12, 2013 at 8:27 pm #

      Hi Tom,
      I’m pleased my application note helped you. The issue is Tier 1 Tech Support personnel aren’t solution engineers, it’s just the nature of a mass market call center.
      Take care,
      Bob

  12. Shon Gale March 19, 2013 at 2:07 pm #

    Bob; thanks for your help. It’s greatly appreciated. I am trying once again to make this happen. I got a hold of a LinkSys WRT54G which the doc say is the predecessor of the 160n so if you know any different please let me know otherwise I am going to go for it.
    Once again thanks

    • BobJackson March 19, 2013 at 3:25 pm #

      A Linksys WRT54G or any current WiFi router should do just fine.

  13. Shon Gale March 20, 2013 at 6:13 am #

    Thank you much sir! I will try it today. I need to make it work. I have 2 lines in here, 1 for my server and 1 for my dev testing and the second line costs $72.00 a month (almost as much as business class) and I really want to get rid of it. They are such a ripoff for the consumer. Business kinda get a break, which is ass backwards of the normal way of doing business.
    Once again thanks!

  14. Terry Platt April 3, 2013 at 6:01 am #

    Can you recommend a router without WiFi?
    Or, can I use the Apple WiFi already in place?

    • BobJackson April 3, 2013 at 7:29 pm #

      WiFi is not required, any router that supports a static WAN interface IP address should be fine.

  15. jquill April 30, 2013 at 4:38 pm #

    I’m trying to get an Airport Extreme router set up for a new Comcast Business Class Static IP account. It’s not active yet, but they did email the network settings. I tried plugging them in to the router to get it ready to test but keep getting an Invalid Value error – The router address you have entered is not compatible with your WAN IP address. The Static IP is 50.xxx.yyy.79; Subnet Mask 255.255.255.252; Router Address/Gateway is 50.xxx.yyy.80. The router does not appear to like a Gateway address higher than the Static IP. Is this normal or perhaps a limitation in the Airport Extreme.

    Any feedback would be helpful. Thanks.

  16. jquill April 30, 2013 at 8:17 pm #

    Thanks. I have another extreme router that has been running on a DSL modem connection with a static IP for a few years and has not had a problem. In that case, the IP address ends in .127 and the gateway ends in .1; the router is happy with that. On the new Comcast circuit, the gateway address is higher than the Static IP (.79 IP and .80 Gateway) and the router will not seem to allow that; pops the Invalid Value error message. I’m not a network guy, so I was basically wondering if it was unusual to have a Gateway address higher than the Static IP address or did Comcast perhaps send me bad data.

    Thanks again…

    • BobJackson April 30, 2013 at 8:41 pm #

      The Comcast public static IP address ranges are valid: .79 static ip for your Airport Extreme WAN interface and .80 for the gateway. Best I can do as is offer a few more bread crumbs based on the same error message “The router address you have entered is not compatible with your WAN IP address”. These links suggest the LAN side should be set to DHCP or the LAN subnet mask was modified.

      Set up with a static IP

      Changing Subnet mask in Airport Utility

      Please write back when you’ve solved the problem.

  17. jquill May 7, 2013 at 5:59 pm #

    Well, it turns out Comcast gave me the wrong IP address and the wrong Gateway. After a couple of calls they gave me addresses in the proper block range.

    Thanks.

    • BobJackson May 7, 2013 at 6:37 pm #

      You’re welcome! Thanks for writing back.

  18. John May 26, 2013 at 11:20 pm #

    Good article, this brought me about 99% of the way through what I’ve been (pondering) getting done for a couple years now.

    What is your recommendation for port 80? I’d like to be able to hit an internal web server on port 80, but I also don’t want to lock out all control of the comcast bridge from both ends.

  19. eddy123 May 29, 2013 at 9:45 pm #

    I have the comcast business server side setup as recommended by comcast for vpn access, and we have the static ip, etc, but what settings are needed to connect via Shrew Soft VPN?

    • BobJackson May 30, 2013 at 11:58 am #

      VPN client and gateway setup are outside the scope of this project. Contact Shew Soft technical support for product configuration assistance.

  20. HarKenToh June 7, 2013 at 3:39 pm #

    Great article – Comcast should have it on their support site (for a fee, of course).

    Thanks a lot!

  21. Suzy Brown June 14, 2013 at 12:49 pm #

    You are a god send…my experiences with Comcast reflect everyone else here. They actually messed up our system so bad we had no internet for 6 hours, which is forever in a business with no credit cards being processed! Anyway I just wanted to post my thanks.

    Suzy Brown

    • BobJackson June 14, 2013 at 2:41 pm #

      > They actually messed up our system so bad we had no internet for 6 hours…
      Have you considered the Square credit card reader as a backup system?

      Sign up for a Square account and keep the Square reader in the drawer until you need it. If an Internet or Phone outage disables your cash register credit card reader, plug the Square reader into your iPhone/iPad/Android and you’re back in business. You’ll pay $0 per month and about 3% per swipe only when you use it (other pricing plans are available).

      I was at my favorite cigar store and the countertop credit card reader out of service because the phone lines were down. The store proprietor plugged the Square reader into his iPhone, swiped my Amex, the credit card transaction was processed via the cellular data network and I received the receipt via e-mail.

  22. Breanna July 3, 2013 at 11:49 am #

    I have Comcast Business internet service, at my place of work and im wondering how do i get wifi with it, because i have devices that i want to connect to it for customers.

    • BobJackson July 3, 2013 at 6:29 pm #

      There are two ways to setup WiFi:
      1. Comcast XFINITY® WiFi hotspot.

      If you expect more than 20 to 30 simultaneous wireless customer connections or are located in a busy public area (e.g. food court at the shopping mall), I’d go with XFINITY WiFi HotSpot because Comcast will manage the WiFi router and it will be on a separate Internet connection from your Comcast Business Class Internet (more bandwidth for you!).

      2. Buy a WiFi router and connect it to your Comcast cable modem. I’ve illustrated this configuration in the project network diagram.

      Should you setup your own WiFi router, configure a WiFi access password so only your customers can use the service. This will prevent “drive by” public users from leaching on the service.

  23. luke July 24, 2013 at 7:06 pm #

    Here is how I got this setup to work WITHOUT having to have comcast change me to a static IP.

    I found the trick was to put the comcast modem/router on 192.168.1.1 (LAN side), and then the new router on 192.168.0.1 for the LAN(thats what the comcast router was before the switch, and I didn’t want to change any of the clients on the network). This thankfully lets me access both of their web interfaces from a browser on the LAN. Then I plugged the WAN port on the new router into the comcast modem/router, and had it get an IP from the comcast box (set this lease to forever). I set the comcast box to DMZ 192.168.0.1.

    I use Remote Desktop Protocol all the time so I had to get port forwarding working. I have the comcast box forward what comes in on port (9100 in my case) to the new router’s WAN IP(198.168.1.11) with the same outside port (9100 in my case), and had the new router then forward it to the correct client IP on the internal port 3389. So it was pretty easy once I had the right plan.

  24. luke July 24, 2013 at 8:41 pm #

    You can also get the wifi to work with the comcast modem/router by using a wifi router and disabling it’s dhcp. Set the wifi router to be on a static IP in the same range as your network (but on an IP just outside of the dhcp settings on the comcast router/modem), use an ethernet cable to go from the dhcp disabled wifi router’s LAN port (not the WAN) to a LAN port on a switch or the comcast modem/router. This worked flawlessly for me.

  25. luke July 24, 2013 at 8:52 pm #

    In my post about about how I setup a wifi router behind a comcast modem/router (model 8014). I made a type-O on the DMZ I setup. The DMZ I setup on the comcast box was to the WAN port on the new wifi router. So should be 192.168.1.11 (not 192.168.0.1 as I typed). I’m not sure this is required, but I wanted the WAN port to be straight through from the comcast box without the comcast route/modem doing firewall stuff on it, since the new wifi router has it’s own firewall.

    • BobJackson July 25, 2013 at 7:40 am #

      Are you using a Dynamic DNS (DDNS) update service on your WiFi router to discover the Comcast DHCP-assigned (i.e. dynamic) public IP address assigned to the SMC 8014 WAN port to access your LAN devices via Remote Desktop Protocol? DDNS would allow the Remote Desktop Connection to be configured with a URL instead of the changing Comcast WAN public IP address.

      Reference:
      Allow Remote Desktop connections from outside your home network

      Thanks for the insights!

  26. Juan July 28, 2013 at 11:17 pm #

    Somebody please help me!!!

    I just signed up for Comcast Business Class, I have 5 static IP’s, I purchased a Netgear R6250 WIFI router and I’m trying to figure out a simple way to assign my static IP’s to my Foscam security cameras! I’ve been reading blog after blog and so far I think I rather get my teeth pulled!! There has to be a simple way to do this even for a rookie like me to figure out!! Comcast has put my modem in “bridged mode” (honestly I don’t know what the hell that does)!

    First I need a step by step explanation on how to configure Cable Modem Gateway (Netgear CG3000DCR) and the Netgear Wireless Router (R6250) I purchased and how to assign the static’s to my cams!! I would sincerely appreciate any assistance!!!

    Anybody up to help a me? Please?

    Thanks a bunch!!!!

  27. Jose August 1, 2013 at 1:41 pm #

    Please don’t call this ‘Bridge Mode’. The SMC8014 doesn’t have that functionality. What you’re really describing above is disabling the NAT engine on the Comcast device so you can use the static IP block that you purchased. But this is all still layer 3.

    • BobJackson August 2, 2013 at 8:12 pm #

      “Bridge Mode” is the term that users ask for and understand. The fact that Comcast Tier 2 will disable NAT to accomplish the equivalent functionality is beside the point.

      Comcast refers to it as Bridge Mode in everyday language, so maybe it’s best you post your concerns on the Comcast Business forum.

  28. Dino September 30, 2013 at 8:18 pm #

    This article is tremendously helpful, but unfortunately has not quite solved my problem.

    I have a Sonicwall firewall in place of your Linksys. If I setup the SMC Gateway to use DHCP and hand out 10.1.10.0 addresses, the client machines behind the Sonicwall (192.168.0.x) can browse the web.

    However, if I turn off DHCP, NAT etc. on the SMC Gateway and change the WAN and router addresses on the Sonicwall to the Comcast assigned Static IP addresses, I can no longer browse the web. Yet, I can still ping sites on the internet from client machines behind the Sonicwall,

    This would suggest it is not a DNS problem (since I am pinging my domain name) and not a port blocking problem on the Sonicwall as I have not changed these settings between the two configurations.

    Any ideas what to try next?

    • BobJackson October 1, 2013 at 7:27 am #

      Hi Dino,
      See if the SonicWALL: Configuring a Static IP Address with NAT Enabled instructions solve the problem. The SonicWALL firewall will have a public WAN IP while enabling NAT and DHCP for LAN clients.

      Also see the “UTM: How to configure the SonicWALL WAN/X1 Interface with Static IP Address” – Configuring the SonicWALL WAN interface (X1 by default) with Static IP address provided by the ISP – article in the MySonicWALL Knowledge Portal under the Support menu.

      The SonicWALL UTM appliance is fairly complex. If you’re still having trouble, please open a Service Request at the MySonicWALL portal. The SonicWALL support tech can take a look at your firewall configuration to fix the problem.

      Thanks,
      Bob

  29. Kenneth Moore October 22, 2013 at 3:50 pm #

    I pulled my hair out for most of two days trying to get public access to an internal web server on a Comcast business account with a static IP. It should be as simple as putting the CG3000dcr into bridge mode, and uplinking to my Linksys AP/router which is configured with the static ip and info from Comcast. The Linksys is also setup to forward inbound requests (80 and 21) to the webserver. Simple, except that there is a setting in the cable modem that can only be seen/modified by Comcast that must be changed. After almost two days and three support calls to Comcast, my webserver is now visible to the outside world.

  30. Ken March 18, 2014 at 10:21 am #

    I have a Comcast Business modem/router. Set to pass thru mode. Everything is off except port forwarding ( can’t uncheck box ). Behind the Comcast I have a Netgear FVS318N. My network connects to the FVS thru a switch. On the network I have one server which my software people need to telnet into. I port forward port 23 to the server ( 192.168.2.xx ) with no luck. I test and get a response of “the connected party did not respond”. I know the server is listening on port 23. From the logs on the FVS router, I see incoming port 23 to the server but no outgoing.

    • Bob Jackson March 18, 2014 at 3:23 pm #

      > Comcast Business modem/router… Everything is off except
      > port forwarding ( can’t uncheck box )
      Have you contacted Comcast Technical Support to disable port forwarding on the modem/router? Best to get this out of the equation so you’re not troubleshooting a NAT issue beyond your control.

      > I have one server which my software people need to telnet into.
      > I port forward port 23 to the server ( 192.168.2.xx ) with no luck
      While I’ve no experience with the NetGear FVS318N Wireless N VPN Firewall, I would follow the Virtual Private Networking
      Using SSL Connections starting on page 266 of the FVS318N Reference Manual and more specifically Configure Applications for Port Forwarding on page 273. An SSL encrypted VPN is secure for carrying the what would otherwise be unencrypted telnet traffic. In my business we always disable telnet because it is insecure with user name and passwords sent in clear text.

      If you don’t or can’t use the SSL VPN option then SSH is an encrypted alternative to telnet that could be port-forwarded. Check that LAN WAN firewall rules are configured to admit the SSH (or telnet) traffic.

      Hope this helps,
      Bob

  31. Lynna Anderson March 18, 2014 at 12:00 pm #

    Thank you so much for this walk through. I have been pulling my hair out trying to get my camera to work and finally got it going. Thank you so much!

  32. jay March 31, 2014 at 3:24 am #

    Bob i followed your instructions to connect my cameras. The only thing different is that i am using a netgear wnr1000v2 router and was able to set up the port forwarding but unable to connect from a remote computer. I have the comcast buisness and am using a static I.P address for my router (Have five total) and have the DVR connected to the router along with multiple devices(LAN) using a netgear switch. the other three ports are connected to VOIP phones as for some reason dont work properly via the router and am able to use a d-link switch for extra ports. so i am not using any other static IP’s.
    I type in the Static IP address of my router on the i.e.browser at my home computer and no connection. what am i missing ? Please help!!!!

    • Bob Jackson March 31, 2014 at 7:43 pm #

      Hi Jay,
      Have you asked Comcast to confirm the cable modem is configured for “bridge mode”, meaning the Network Address Translation (NAT) function is disabled?

      Can you ping the Comcast static IP address assigned to the WAN port of the Netgear WNR1000 WiFi router from the Internet? See page 63 in Section 4-6 “Configuring the WAN Setup Options” of the WNR1000 User Manual for instructions to enable ping. If you can’t ping the Comcast static IP address assigned to the Netgear WAN port, that needs to be resolved first.

      Did you configure static LAN IP addresses for the cameras? The cameras must have a static LAN IP for port forwarding to work to a fixed destination. You’ll also need to configure the camera itself to disable DHCP and use a static LAN (private) IP. See the “Static IP Address and Port Forwarding Configuration” section in this article for assigning static LAN IP’s above the WiFi router DHCP range. This related article may be helpful, too.

      You could sign up for a free DDNS service like no-ip and enable DDNS on both the router and the camera. DDNS works for both public (WAN) and private (LAN) static IP addresses. The DDNS account hosts page will show the IP address actually assigned to the router and camera to help your troubleshooting. If the no-ip DDNS hosts page reports a different WAN IP address for the Netgear router than the Comcast static IP address you assigned, that’s your problem. Check the Netgear WAN static IP address settings again and if it looks OK, check back with Comcast to enable bridge mode on the cable modem.

      Make a network diagram for each device in the daisy chain with the pertinent network information. A diagram is extremely helpful for mapping each device configuration and hop in the network.

      Let me know when you find the problem.

      Thanks,
      Bob

  33. Samy April 15, 2014 at 1:01 am #

    How different is the setup when one has a Dynamic IP with Comcast and wants to add a separate VPN router? DO we still need to Bridge the comcast router modem or ?

    • Bob Jackson April 15, 2014 at 8:15 am #

      You’ll need to consult your router documentation. This article explains how to setup a Linksys VPN with DDNS.

  34. Steve April 22, 2014 at 6:27 pm #

    Great article, but I have what may be one of those ‘stupid’ questions.

    In the diagram you show the LAN private IP address of the modem as the default 10.1.10.1 but show the show the WAN public IP address of the firewall as one of the static IP addresses provided by Comcast.

    Is this correct? How does traffic route from the firewall to the router when on two different sub-nets?

    Secondly I’ve just recently been advised by 1st tier Comcast support that they no longer ‘support’ placing the modem in bridge mode.

    • Bob Jackson April 22, 2014 at 8:02 pm #

      Hi Steve,
      You’re asking insightful questions.

      The SMC8014 LAN private IP address 10.1.10.1 is how you access the SMC8014 configuration GUI and doesn’t change. You can only reach that 10.1.10.1 IP address if your WiFi router pulls an DHCP IP address from the SMC8014 so it’s in the same subnet. Therefore you’re not routing between the static (e.g. 173.x.x.x) and private 10.1.10.x subnets since your network is either on one (DHCP assigned private space) or the other (static, public or Internet routable).

      > I’ve just recently been advised by 1st tier Comcast support that
      > they no longer ‘support’ placing the modem in bridge mode.
      Bridge mode is the generic term that most people ask for but it’s actually disabling the 1-to-1 NAT function. Also see this screen image.

      The Comcast Business IP Gateway overview page now states:

      Comcast can configure the Gateway according to customer specifications. However, we will only disable a customer’s firewall and DHCP service on the Gateway upon request.

      So if you or Comcast disable the SMC8014 firewall, port forwarding, 1-to-1 NAT, etc. as detailed in this tutorial it should work.

      Take care,
      Bob

  35. paul May 23, 2014 at 8:53 am #

    Dude great writeup. The problem I was having was not putting the right gateway on the 2nd router! You rock

  36. nsical June 26, 2014 at 1:25 am #

    Thanks Bob. I was having a problem configuring our Cisco ASA 5505 so it can NAT one of the external IP’s in our comcast business IP block. However, there was no traffic to ASA which had one of the external IPs. I figured from this article that comcast modem had DHCP enabled. I disabled it and it worked. After spending several days on ASA, this article saved my day.

    Thanks,
    nsical

  37. Lisa July 20, 2014 at 7:23 pm #

    Thank you! This was very helpful when I went to switch from another service provider to Comcast. I was able to determine how to disable all the functions on the Comcast router, then determine which Comcast ip addresses to use in the sonic wall without having to hire an IT person! Yay ! ! ! The only glitch I had was the comcast router did not specify the subnet mask on the WAN IP, but I plugged in the one you listed above for the 5 IP address scenario and it seems to be working fine. All of my other settings in the sonic wall firewall were good to go. I didn’t need to change anything else. I am so please with myself. All of my ports are forwarding nicely. I have been able to login remotely on several apps. Thank you so much! Had I not found this it probably would have taken another IT person or Comcast hours to figure this out.

    • Bob Jackson July 20, 2014 at 7:57 pm #

      Terrific! Thanks for sharing your success story.

  38. Charlie Johnson July 30, 2014 at 7:23 am #

    Can I use the additional 3 ports on the comcast modem?
    I am using bridge mode with one static IP for a network that’s protected by a firewall. I’d like to set up a computer outside my firewall.

    • Bob Jackson July 30, 2014 at 5:43 pm #

      You can use the other three LAN ports on the NETGEAR CG3000DCR for other devices. There are two approaches:

      2 or more Useable Comcast Static IP addresses:
      If you purchased two or more useable static IP addresses just connect your router/computer/etc. device into an available LAN port and configure the static IP address on that device.

      Enable LAN DHCP on the Comcast Gateway:
      If you enable LAN DHCP on the NETGEAR CG3000DCR then it will assign a 10.1.10.x range dynamic IP address to your computer and you can surf the Internet like it was a normal cable modem. This compliments (i.e. won’t break) the Static IP address configuration in the tutorial so you have the best of both worlds.

      Thanks,
      Bob

  39. Richard Agyei August 10, 2014 at 11:13 am #

    Thank you. This seems to be exactly what I’m looking for. The comcast CSR’s have so far been unable to direct me on exactly how to do this.

  40. Paul Gandhi August 15, 2014 at 6:05 pm #

    I have netgear 3000 comcast business modem
    Comcast said I have dynamic ip
    Do you thing it will work like you mention without static ip

    • Bob Jackson August 15, 2014 at 7:04 pm #

      It will not work with a dynamic IP address.

  41. Eric B. Webb September 10, 2014 at 3:30 am #

    I just literally finish setting up my Comcast Biz Inet. I have a netgear CG3000DCR and the config(s) worked flawlessly. I’m using a Cisco 1941 ISR instead of a linksys.
    Thanks Bob.

  42. James September 11, 2014 at 11:01 am #

    Excellent article and I would like to add one thing is that Comcast can also put the modem into real bridge mode if you ask them but the policy was at the time, a few months ago, that you could not get a static ip address(es) from them if you did that.

  43. Jesse Pereboom October 4, 2014 at 3:03 pm #

    I am in the middle of this project and this information looks extremely helpful. Just wanted to thank you in advance for putting this together. Can I make a donation?

Leave a Reply