This tutorial explains how to configure a Comcast Business Class static IP address to enable remote access to network clients from the Internet. The Comcast Business IP Gateway (SMC8014 or NETGEAR CG3000DCR) is configured for pseudo bridge mode by disabling the normal routing, firewall, NAT and DHCP functions. The Internet-routable static IP address is assigned the Linksys WiFi router WAN interface for remote Internet access to LAN clients.

Remote Internet Access Problem

I was helping a small business setup IP network cameras with the Comcast Business Class cable modem service but ran into a problem with Internet remote access: the DDNS agent in the Linksys WiFi router was showing a 10.1.10.10 (“10 space”) non-Internet routable private IP address. I logged into the Dyn Remote Access account saw the 10.1.10.10 private IP address listed in the Host Services table.

The problem is the Comcast IP Gateway operates in Router Mode and assigns a 10.1.10.x private IP address to the Linksys router WAN interface. My first thought was to request a standard cable modem which operates in Bridge Mode, however Comcast Business does not support static IP addresses on standard cable modems and you must use their Business IP gateway (cable modem/router combo) to get an Internet routable static IP address.

Comcast Business Class Internet will install a NETGEAR CG3000DCR IP Gateway which is a cable modem and router combo that runs a custom firmware load by Comcast. (We originally had an SMC8014 gateway which Comcast replaced with a NETGEAR CG3000DCR when the SMC8014 failed). The Comcast IP Gateway does not support true Bridge Mode as compared to a basic cable modem nor does it provide a simple user menu option to select the “bridge mode | router mode” working mode like some gateways. Remote Internet access to the LAN network clients requires subscribing to Comcast’s Static IP Service and disabling the various Comcast IP Gateway firewall, NAT and DHCP features for the routed equivalent known as “pseudo-bridge mode”. Comcast Customer Support will remotely reconfigure the gateway for you upon request when the Static IP address is activated.

After configuring pseudo-bridge mode the DDNS agent in the Linksys router can now update the Dyn Remote Access service with the Internet routable WAN IP address. Remote Internet access now works with an easy to remember DDNS host name and port forwarding, e.g. https://myhost.homedns.org:443 or the just static IP address, e.g. https://173.xxx.yy.185:443 where the “:443” is the port number to be forwarded by the Linksys router to a particular LAN client.

How To Configure a Comcast Business Class Static IP Address

I called Comcast and subscribed to one (1) static IP address service because a single IP address assigned to the Linksys WRT54GS WiFi router WAN interface would do the job. The sales person said a confirmation e-mail would be sent with the new static IP in 3 to 5 business days. Several days later, an e-mail confirmation arrived with the new IP address, gateway IP, subnet mask, DNS server IPs and instructions to call Comcast Tech Support’s toll free number to active the static IP service. The e-mail was brief and to the point:

Dear Customer,
Below is the Static IP information for Account # xxxxxxxxxxxxxx
Static 173.xxx.yy.185 (Static IP address for my Linksys router)
Gateway 173.xxx.yy.186 (Static IP address of the CG3000DCR or SMC8014 gateway)
Subnet Mask: 255.255.255.252
Primary DNS: 68.87.68.162
Secondary DNS 68.87.74.162
Note: Static IP's will not be active/available until the file is downloaded
to your gateway. Please call Tech Support...800.391.3000 or reply to this
email when you want to make the change.

Comcast Static IP Block

Comcast offers 1, 5 or 13 usable static IP addresses. “Usable” means the quantity of IP addresses that are available for assignment to your devices. IP subnetting rules require that IP addresses are allocated in blocks of certain fixed sizes. To obtain one (1) useable IP address a /30 CIDR block is allocated. (You can skip the following CIDR block details because the essentials are given in Comcast’s e-mail notice above.)

Comcast Business Static IP Block Assignment: One (1) Customer Usable IP Example

  • CIDR Notation: 173.xxx.yyy.184/30
  • Network Address (ID): 173.xxx.yyy.184
  • Host Addresses: 172.xxx.yyy.185 to .186
  • Customer Usable IP(s): 173.xxx.yyy.185
    Only one (1) usable IP because the highest host address (.186) is automatically assigned by Comcast to the Business Gateway WAN Internet IP address.
  • Network Broadcast Address: 173.xxx.yyy.187
  • Subnet Mask: 255.255.255.252

Recall that the Network ID and Broadcast IP addresses cannot be assigned your network hosts (LAN devices). Comcast also assigns the highest usable IP address to the Business gateway WAN interface. Therefore 3 IP addresses in any CIDR block are reserved and not customer usable.

If I had purchased 5 usable static IP addresses for a more complex LAN network application then Comcast would allocate /29 CIDR block:

Comcast Business Static IP Block Assignment: Five (5) Customer Useable IPs Example

  • CIDR Notation: 173.xxx.yyy.184/29
  • Network Address (ID): 173.xxx.yyy.184
  • Host Addresses: 172.xxx.yyy.185 to .190
  • Customer Usable IP(s): 173.xxx.yyy.185 to .189
    Only five (5) usable IP because the highest host address (.190) is automatically assigned by Comcast to the Business Gateway WAN Internet IP address.
  • Network Broadcast Address: 173.xxx.yyy.191
  • Subnet Mask: 255.255.255.248

The Comcast static IP network diagram for one usable IP address with the NETGEAR CG3000DCR is:

Comcast Business Class Static IP Network Diagram for Pseudo Bridge Mode

Comcast Business Class Static IP Network Diagram for Pseudo Bridge Mode

Fluke LinkSprinter Network Tester

I recently had the pleasure of reviewing the Fluke LinkSprinter Network Tester. It automatically tests:

  • Power over Ethernet (PoE)
  • Ethernet Link and jacks
  • DHCP and Static IP Addresses
  • Network Gateway
  • Internet Connectivity

It’s affordable, easy to use and takes the guesswork out of network test and troubleshooting.

Comcast Static IP Address & Pseudo Bridge Mode

Comcast Business Support (800) 391-3000 can remotely configure the IP gateway for the routed equivalent to Bridge Mode, which disables the DHCP, DNS, NAT, firewall, static routing, filtering, etc. functions. This will allow your firewall/router to provide the LAN DHCP, NAT, port forwarding, VPN, etc. functions under your control.

I noticed both the older SMC8014 and newer NETGEAR CG3000DCR both have the same custom firmware designed by Comcast. See the (circa 2006) Comcast Business IP Gateway User Guide for details which doesn’t include the IPv6 menu options in the latest firmware versions.

The NETGEAR CG3000DCR can be configured for pseudo bridge mode by connecting your computer to a LAN port on the gateway and logging in with a web browser:

  • Admin page: http://10.1.10.1
  • User name: cusadmin
  • Password: highspeed
Comcast Business IP Gateway Login 10.1.10.1

Comcast Business IP Gateway Login 10.1.10.1

You’ll be presented with the Comcast Business Gateway Welcome Screen:

Comcast Business IP Gateway - Feature Settings

Comcast Business IP Gateway – Feature Settings

Clicking Gateway Summary → Gateway Status displays the Firmware Version, Operating Mode, etc. The Operating Mode will always state “Residential Gateway” as of this writing:

Comcast Business IP Gateway - Status

Comcast Business IP Gateway – Status

Clicking Gateway Summary → Network will display the Internet and Local network settings. Comcast automatically assigns the highest useable IP address, e.g. 173.xxx.yyy.186, to the Gateway WAN Internet IP Address. Your Static IP Block in CIDR notation (/30) is also displayed:

Comcast Business IP Gateway - Internet Settings

Comcast Business IP Gateway – Internet Settings

The pseudo bridge mode configuration settings for the NETGEAR CG3000DCR are as follows with selected screen grabs for the essential settings.

NETGEAR CG3000DCR Pseudo Bridge Mode Configuration Steps

The following steps will configure the CG3000DCR (or the discontinued SMC8014) for pseudo bridge mode by disabling the various Comcast gateway router functions.

  • Firewall → Firewall Options

    • Disable Firewall for True Static IP Subnet Only: Checked
      This is a critical setting for pseudo-bridge mode.
    • Disable Gateway Smart Packet Detection: Checked
      Smart packet detection was already disabled by Comcast, probably because it often breaks network services.
    • Click the apply button to save your changes.
Comcast Business IP Gateway - Firewall Options for Pseudo Bridge Mode with Static IP

Comcast Business IP Gateway – Firewall Options for Pseudo Bridge Mode with Static IP

Next click

  • Firewall → Firewall Port Configuration
    • Port Forwarding: Disable all Port Forwarding rules: Checked
    • Port Triggering: Disable all Port Triggering rules: Checked
    • Port Blocking: Disable all Port Blocking rules: Checked
    • True Static IP Port Management:
      Disable all rules and allow all inbound traffic through: Checked
      Note: When “Disable Firewall for True Static IP Subnet Only” is checked (see the previous screen) it will automatically disable True Static IP Port Management if running the newer firmware versions.
    • Click the apply button to save your changes.
Comcast Business IP Gateway - Firewall - Port Configuration - Port Triggering

Comcast Business IP Gateway – Firewall – Port Configuration – Port Triggering

Next click:

  • Firewall → Web Site Blocking: Enable Web Site Blocking: Unchecked
  • Firewall → DMZ: Enable DMZ Host: Unchecked
  • Firewall → 1-to-1 NAT: Disable All: Checked
    Disabling the 1-to-1 NAT is the critical setting for pseudo-bridge mode.
  • Click the apply button to save your changes.
Comcast Business IP Gateway - Pseudo Bridge Mode for Static IP - Disable 1-to-1 NAT

Comcast Business IP Gateway – Pseudo Bridge Mode for Static IP – Disable 1-to-1 NAT

NETGEAR CG3000DCR LAN Settings:

Take care to disable the LAN DCHP option last because it will reset/reboot the gateway!

  • LAN → IPv6: No changes.
    All settings should be blank or “NA” except “Enable EUI-64 Addressing” is enabled by default.
  • LAN → Static Routing: No entries, all fields blank.
  • LAN → Filtering: Enable Access Filter: Unchecked
  • LAN → Switch Controls: Keep the default settings unless you have reason to disable or configure Ethernet port options.
  • LAN → IP Setup
    • Enable LAN DCHP: Unchecked
      This is a critical setting for pseudo-bridge mode to prevent the Comcast IP Gateway from assigning a 10.0.1.x private IP address to your router’s WAN interface.
    • Assign DNS Manually: Don’t care because the DNS server settings will be provided by your LAN router DNS feature. It was checked by default and I left it alone.
  • Click the apply button to save your changes.
    The Comcast Gateway will now reboot.

Note: DHCP and DNS services will be configured in the Linksys WRT router.

Comcast Business IP Gateway - Disable LAN DHCP for Pseudo Bridge Mode with Static IP

Comcast Business IP Gateway – Disable LAN DHCP for Pseudo Bridge Mode with Static IP

The NETGEAR CG3000DCR will reboot after DHCP is disabled and the apply button is clicked:

Comcast Business IP Gateway - Device Reset

Comcast Business IP Gateway – Device Reset

Linksys Router Static IP Address Configuration

The Comcast provided static IP address, subnet mask and gateway must be configured on the Linksys WRT router to enable Internet access. The configuration is simple by flipping the Internet Connection Type from DHCP to Static IP through these steps:

  1. Log into the Admin page of the Linksys WiFi router at: http://192.168.1.1
    Note: I changed the Linksys Router IP from the factory default 192.168.1.1 to 192.168.2.1 as a minor security enhancement to make it a little harder for someone searching for the default 192.168.1.x subnet. This is strictly optional.
  2. Go to the Setup Basic Setup menu.
  3. Select Static IP in the Internet Connection Type choice box.
  4. Fill in the Internet IP Address, Subnet Mask, Default Gateway with the parameters specified in the e-mail from Comcast. e.g.
    Static 173.xxx.yy.185 (Static IP address for my Linksys router)
    Gateway 173.xxx.yy.186 (Static IP address of the CG3000DCR gateway)
    Subnet Mask: 255.255.255.252
  5. Enter your favorite DNS service IP address values or use the Comcast DNS IPs.
    I used 8.8.8.8 and 8.8.4.4 for Google DNS and 208.67.222.222 for OpenDNS.
  6. Click Save Settings.
Linksys WRT54GL Setup for Comcast Business Static IP

Linksys WRT54GL Setup for Comcast Business Static IP

Linksys Router Dynamic DNS Settings

DDNS isn’t necessary with a static IP address but it does provide a way to configure an easy to remember host name to reach simple LAN clients like an IP camera. If you’re setting up a web server for a domain name you’ll want to subscribe to a DNS service and create DNS Zone records for your Comcast Static IP’s.

This next step assumes you have already created a DDNS Account with Dyn Remote Access and have a DDNS host configured.

Navigate to the Setup → DDNS menu in the Linksys WRT WiFi router. Input your DDNS account user name, password and host name. Click Save Settings and check the DDNS update status which should be “DDNS is updated successfully.” The DDNS service will register the Comcast Static IP address 172.xxx.yyy.185.

Linksys WRT54GL DDNS Client Setup

Linksys WRT54GL DDNS Client Setup

Remote Internet Access to LAN Clients

Port forwarding maps Internet requests from the static IP address to a private LAN IP address to access LAN clients (computers, cameras, etc.) via the DDNS host name and port, e.g. https://myhost.homedns.org:443 or directly with the static WAN IP address of the Linksys router, e.g. https://173.xxx.yyy.185:443. For port forwarding configuration instructions, see this project.

An example port forwarding configuration where unused ports are assigned to the LAN clients to avoid conflicts with other network services:

Linksys WRT54GL Port Forwarding

Linksys WRT54GL Port Forwarding

NETGEAR CG3000DCR Admin GUI Access

In the future if you want to log in to the CG3000DCR (or older SMC8014) gateway:

  • Connect your computer to the Linksys router LAN network via WiFi or wired Ethernet cable connection.
  • Point your web browser to http://10.1.10.1 to access the CG30000DCR admin page.

Comcast IP Gateway: Configure 10.1.10.x Static IP Address for Windows 7 PC

Note that you will not be able to access the CG3000DCR Admin GUI if your computer is plugged directly into a LAN port on the CG3000DCR (or the older SMC8014) when DHCP is disabled on the Comcast IP gateway because your computer won’t receive a DHCP 10.1.10.x IP address. What you need to do is temporarily assign a 10.1.10.x static IP address to your computer. This is only needed if you can’t connect through the Linksys router.

Comcast Business IP Gateway - Computer 10.1.10.x Static IP Config

Comcast Business IP Gateway – Computer 10.1.10.x Static IP Config

For Windows 7 the computer private static IP configuration steps are:

  • Control Panel → Network and Internet
  • Network and Sharing Center
  • Change Adapter Settings
  • Local Area Connection (right click menu) Properties
Windows 7 - LAN Connection Properties

Windows 7 – LAN Connection Properties

  • Internet Protocol Version 4 (TCP/IPv4) Properties
Windows 7 - LAN Connection Properties for IPv4

Windows 7 – LAN Connection Properties for IPv4

  • Click Use the following IP address:
    • Enter 10.1.10.2 or any unused IP address in the 10.1.10.2 to .254 range.
    • Subnet mask: 255.255.255.0
    • Default Gateway: 10.1.10.1
    • Click OK and OK again on both dialog boxes.
Windows 7 - Configure LAN Static IP Address

Windows 7 – Configure LAN Static IP Address

You can now point your web browser to http://10.1.10.1 to log into the Comcast IP gateway when DHCP is disabled for pseudo-bridge mode and your PC is connected to a gateway Ethernet LAN port. When you’re finished remember to go back and change your IPv4 properties back to select “Obtain an IP address automatically“.

Small Office/Home Office (SOHO) Network

See the Ubiquiti EdgeRouter Lite SOHO Network Design project for a small business or advanced home office network complete with firewall, VLANs, WiFi Access Point and OpenVPN remote access.

Ubiquiti EdgeRouter Lite Network Diagram

Ubiquiti EdgeRouter Lite Network Diagram

Happy networking,

Bob Jackson

Copyright © 2017 HandymanHowTo.com   Reproduction strictly prohibited.