How To Configure a Comcast Business Class Static IP Address

By |Last updated on |Home Networking, Technology|106 Comments

This tutorial explains how to configure a Comcast Business Class static IP address to enable remote access to network clients from the Internet. The Comcast Business IP Gateway (SMC8014 or NETGEAR CG3000DCR) is configured for pseudo bridge mode by disabling the normal routing, firewall, NAT and DHCP functions. The Internet-routable static IP address is assigned the Linksys WiFi router WAN interface for remote Internet access to LAN clients.

Remote Internet Access Problem

I was helping a small business setup IP network cameras with the Comcast Business Class cable modem service but ran into a problem with Internet remote access: the DDNS agent in the Linksys WiFi router was showing a (“10 space”) non-Internet routable private IP address. I logged into the Dyn Remote Access account saw the private IP address listed in the Host Services table.

The problem is the Comcast IP Gateway operates in Router Mode and assigns a 10.1.10.x private IP address to the Linksys router WAN interface. My first thought was to request a standard cable modem which operates in Bridge Mode, however Comcast Business does not support static IP addresses on standard cable modems and you must use their Business IP gateway (cable modem/router combo) to get an Internet routable static IP address.

Comcast Business Class Internet will install a NETGEAR CG3000DCR IP Gateway which is a cable modem and router combo that runs a custom firmware load by Comcast. (We originally had an SMC8014 gateway which Comcast replaced with a NETGEAR CG3000DCR when the SMC8014 failed). The Comcast IP Gateway does not support true Bridge Mode as compared to a basic cable modem nor does it provide a simple user menu option to select the “bridge mode | router mode” working mode like some gateways. Remote Internet access to the LAN network clients requires subscribing to Comcast’s Static IP Service and disabling the various Comcast IP Gateway firewall, NAT and DHCP features for the routed equivalent known as “pseudo-bridge mode”. Comcast Customer Support will remotely reconfigure the gateway for you upon request when the Static IP address is activated.

After configuring pseudo-bridge mode the DDNS agent in the Linksys router can now update the Dyn Remote Access service with the Internet routable WAN IP address. Remote Internet access now works with an easy to remember DDNS host name and port forwarding, e.g. or the just static IP address, e.g. where the “:443” is the port number to be forwarded by the Linksys router to a particular LAN client.

How To Configure a Comcast Business Class Static IP Address

I called Comcast and subscribed to one (1) static IP address service because a single IP address assigned to the Linksys WRT54GS WiFi router WAN interface would do the job. The sales person said a confirmation e-mail would be sent with the new static IP in 3 to 5 business days. Several days later, an e-mail confirmation arrived with the new IP address, gateway IP, subnet mask, DNS server IPs and instructions to call Comcast Tech Support’s toll free number to active the static IP service. The e-mail was brief and to the point:

Dear Customer,
Below is the Static IP information for Account # xxxxxxxxxxxxxx
Static (Static IP address for my Linksys router)
Gateway (Static IP address of the CG3000DCR or SMC8014 gateway)
Subnet Mask:
Primary DNS:
Secondary DNS
Note: Static IP's will not be active/available until the file is downloaded
to your gateway. Please call Tech Support...800.391.3000 or reply to this
email when you want to make the change.

Comcast Static IP Block

Comcast offers 1, 5 or 13 usable static IP addresses. “Usable” means the quantity of IP addresses that are available for assignment to your devices. IP subnetting rules require that IP addresses are allocated in blocks of certain fixed sizes. To obtain one (1) useable IP address a /30 CIDR block is allocated. (You can skip the following CIDR block details because the essentials are given in Comcast’s e-mail notice above.)

Comcast Business Static IP Block Assignment: One (1) Customer Usable IP Example

  • CIDR Notation:
  • Network Address (ID):
  • Host Addresses: to .186
  • Customer Usable IP(s):
    Only one (1) usable IP because the highest host address (.186) is automatically assigned by Comcast to the Business Gateway WAN Internet IP address.
  • Network Broadcast Address:
  • Subnet Mask:

Recall that the Network ID and Broadcast IP addresses cannot be assigned your network hosts (LAN devices). Comcast also assigns the highest usable IP address to the Business gateway WAN interface. Therefore 3 IP addresses in any CIDR block are reserved and not customer usable.

If I had purchased 5 usable static IP addresses for a more complex LAN network application then Comcast would allocate /29 CIDR block:

Comcast Business Static IP Block Assignment: Five (5) Customer Useable IPs Example

  • CIDR Notation:
  • Network Address (ID):
  • Host Addresses: to .190
  • Customer Usable IP(s): to .189
    Only five (5) usable IP because the highest host address (.190) is automatically assigned by Comcast to the Business Gateway WAN Internet IP address.
  • Network Broadcast Address:
  • Subnet Mask:

The Comcast static IP network diagram for one usable IP address with the NETGEAR CG3000DCR is:

Comcast Business Class Static IP Network Diagram for Pseudo Bridge Mode

Comcast Business Class Static IP Network Diagram for Pseudo Bridge Mode

Fluke LinkSprinter Network Tester

I recently had the pleasure of reviewing the Fluke LinkSprinter Network Tester. It automatically tests:

  • Power over Ethernet (PoE)
  • Ethernet Link and jacks
  • DHCP and Static IP Addresses
  • Network Gateway
  • Internet Connectivity

It’s affordable, easy to use and takes the guesswork out of network test and troubleshooting.

Comcast Static IP Address & Pseudo Bridge Mode

Comcast Business Support (800) 391-3000 can remotely configure the IP gateway for the routed equivalent to Bridge Mode, which disables the DHCP, DNS, NAT, firewall, static routing, filtering, etc. functions. This will allow your firewall/router to provide the LAN DHCP, NAT, port forwarding, VPN, etc. functions under your control.

I noticed both the older SMC8014 and newer NETGEAR CG3000DCR both have the same custom firmware designed by Comcast. See the (circa 2006) Comcast Business IP Gateway User Guide for details which doesn’t include the IPv6 menu options in the latest firmware versions.

The NETGEAR CG3000DCR can be configured for pseudo bridge mode by connecting your computer to a LAN port on the gateway and logging in with a web browser:

  • Admin page:
  • User name: cusadmin
  • Password: highspeed
Comcast Business IP Gateway Login

Comcast Business IP Gateway Login

You’ll be presented with the Comcast Business Gateway Welcome Screen:

Comcast Business IP Gateway - Feature Settings

Comcast Business IP Gateway – Feature Settings

Clicking Gateway Summary → Gateway Status displays the Firmware Version, Operating Mode, etc. The Operating Mode will always state “Residential Gateway” as of this writing:

Comcast Business IP Gateway - Status

Comcast Business IP Gateway – Status

Clicking Gateway Summary → Network will display the Internet and Local network settings. Comcast automatically assigns the highest useable IP address, e.g., to the Gateway WAN Internet IP Address. Your Static IP Block in CIDR notation (/30) is also displayed:

Comcast Business IP Gateway - Internet Settings

Comcast Business IP Gateway – Internet Settings

The pseudo bridge mode configuration settings for the NETGEAR CG3000DCR are as follows with selected screen grabs for the essential settings.

NETGEAR CG3000DCR Pseudo Bridge Mode Configuration Steps

The following steps will configure the CG3000DCR (or the discontinued SMC8014) for pseudo bridge mode by disabling the various Comcast gateway router functions.

  • Firewall → Firewall Options

    • Disable Firewall for True Static IP Subnet Only: Checked
      This is a critical setting for pseudo-bridge mode.
    • Disable Gateway Smart Packet Detection: Checked
      Smart packet detection was already disabled by Comcast, probably because it often breaks network services.
    • Click the apply button to save your changes.
Comcast Business IP Gateway - Firewall Options for Pseudo Bridge Mode with Static IP

Comcast Business IP Gateway – Firewall Options for Pseudo Bridge Mode with Static IP

Next click

  • Firewall → Firewall Port Configuration
    • Port Forwarding: Disable all Port Forwarding rules: Checked
    • Port Triggering: Disable all Port Triggering rules: Checked
    • Port Blocking: Disable all Port Blocking rules: Checked
    • True Static IP Port Management:
      Disable all rules and allow all inbound traffic through: Checked
      Note: When “Disable Firewall for True Static IP Subnet Only” is checked (see the previous screen) it will automatically disable True Static IP Port Management if running the newer firmware versions.
    • Click the apply button to save your changes.
Comcast Business IP Gateway - Firewall - Port Configuration - Port Triggering

Comcast Business IP Gateway – Firewall – Port Configuration – Port Triggering

Next click:

  • Firewall → Web Site Blocking: Enable Web Site Blocking: Unchecked
  • Firewall → DMZ: Enable DMZ Host: Unchecked
  • Firewall → 1-to-1 NAT: Disable All: Checked
    Disabling the 1-to-1 NAT is the critical setting for pseudo-bridge mode.
  • Click the apply button to save your changes.
Comcast Business IP Gateway - Pseudo Bridge Mode for Static IP - Disable 1-to-1 NAT

Comcast Business IP Gateway – Pseudo Bridge Mode for Static IP – Disable 1-to-1 NAT


Take care to disable the LAN DCHP option last because it will reset/reboot the gateway!

  • LAN → IPv6: No changes.
    All settings should be blank or “NA” except “Enable EUI-64 Addressing” is enabled by default.
  • LAN → Static Routing: No entries, all fields blank.
  • LAN → Filtering: Enable Access Filter: Unchecked
  • LAN → Switch Controls: Keep the default settings unless you have reason to disable or configure Ethernet port options.
  • LAN → IP Setup
    • Enable LAN DCHP: Unchecked
      This is a critical setting for pseudo-bridge mode to prevent the Comcast IP Gateway from assigning a 10.0.1.x private IP address to your router’s WAN interface.
    • Assign DNS Manually: Don’t care because the DNS server settings will be provided by your LAN router DNS feature. It was checked by default and I left it alone.
  • Click the apply button to save your changes.
    The Comcast Gateway will now reboot.

Note: DHCP and DNS services will be configured in the Linksys WRT router.

Comcast Business IP Gateway - Disable LAN DHCP for Pseudo Bridge Mode with Static IP

Comcast Business IP Gateway – Disable LAN DHCP for Pseudo Bridge Mode with Static IP

The NETGEAR CG3000DCR will reboot after DHCP is disabled and the apply button is clicked:

Comcast Business IP Gateway - Device Reset

Comcast Business IP Gateway – Device Reset

Linksys Router Static IP Address Configuration

The Comcast provided static IP address, subnet mask and gateway must be configured on the Linksys WRT router to enable Internet access. The configuration is simple by flipping the Internet Connection Type from DHCP to Static IP through these steps:

  1. Log into the Admin page of the Linksys WiFi router at:
    Note: I changed the Linksys Router IP from the factory default to as a minor security enhancement to make it a little harder for someone searching for the default 192.168.1.x subnet. This is strictly optional.
  2. Go to the Setup Basic Setup menu.
  3. Select Static IP in the Internet Connection Type choice box.
  4. Fill in the Internet IP Address, Subnet Mask, Default Gateway with the parameters specified in the e-mail from Comcast. e.g.
    Static (Static IP address for my Linksys router)
    Gateway (Static IP address of the CG3000DCR gateway)
    Subnet Mask:
  5. Enter your favorite DNS service IP address values or use the Comcast DNS IPs.
    I used and for Google DNS and for OpenDNS.
  6. Click Save Settings.
Linksys WRT54GL Setup for Comcast Business Static IP

Linksys WRT54GL Setup for Comcast Business Static IP

Linksys Router Dynamic DNS Settings

DDNS isn’t necessary with a static IP address but it does provide a way to configure an easy to remember host name to reach simple LAN clients like an IP camera. If you’re setting up a web server for a domain name you’ll want to subscribe to a DNS service and create DNS Zone records for your Comcast Static IP’s.

This next step assumes you have already created a DDNS Account with Dyn Remote Access and have a DDNS host configured.

Navigate to the Setup → DDNS menu in the Linksys WRT WiFi router. Input your DDNS account user name, password and host name. Click Save Settings and check the DDNS update status which should be “DDNS is updated successfully.” The DDNS service will register the Comcast Static IP address

Linksys WRT54GL DDNS Client Setup

Linksys WRT54GL DDNS Client Setup

Remote Internet Access to LAN Clients

Port forwarding maps Internet requests from the static IP address to a private LAN IP address to access LAN clients (computers, cameras, etc.) via the DDNS host name and port, e.g. or directly with the static WAN IP address of the Linksys router, e.g. For port forwarding configuration instructions, see this project.

An example port forwarding configuration where unused ports are assigned to the LAN clients to avoid conflicts with other network services:

Linksys WRT54GL Port Forwarding

Linksys WRT54GL Port Forwarding

NETGEAR CG3000DCR Admin GUI Access

In the future if you want to log in to the CG3000DCR (or older SMC8014) gateway:

  • Connect your computer to the Linksys router LAN network via WiFi or wired Ethernet cable connection.
  • Point your web browser to to access the CG30000DCR admin page.

Comcast IP Gateway: Configure 10.1.10.x Static IP Address for Windows 7 PC

Note that you will not be able to access the CG3000DCR Admin GUI if your computer is plugged directly into a LAN port on the CG3000DCR (or the older SMC8014) when DHCP is disabled on the Comcast IP gateway because your computer won’t receive a DHCP 10.1.10.x IP address. What you need to do is temporarily assign a 10.1.10.x static IP address to your computer. This is only needed if you can’t connect through the Linksys router.

Comcast Business IP Gateway - Computer 10.1.10.x Static IP Config

Comcast Business IP Gateway – Computer 10.1.10.x Static IP Config

For Windows 7 the computer private static IP configuration steps are:

  • Control Panel → Network and Internet
  • Network and Sharing Center
  • Change Adapter Settings
  • Local Area Connection (right click menu) Properties
Windows 7 - LAN Connection Properties

Windows 7 – LAN Connection Properties

  • Internet Protocol Version 4 (TCP/IPv4) Properties
Windows 7 - LAN Connection Properties for IPv4

Windows 7 – LAN Connection Properties for IPv4

  • Click Use the following IP address:
    • Enter or any unused IP address in the to .254 range.
    • Subnet mask:
    • Default Gateway:
    • Click OK and OK again on both dialog boxes.
Windows 7 - Configure LAN Static IP Address

Windows 7 – Configure LAN Static IP Address

You can now point your web browser to to log into the Comcast IP gateway when DHCP is disabled for pseudo-bridge mode and your PC is connected to a gateway Ethernet LAN port. When you’re finished remember to go back and change your IPv4 properties back to select “Obtain an IP address automatically“.

Small Office/Home Office (SOHO) Network

See the Ubiquiti EdgeRouter Lite SOHO Network Design project for a small business or advanced home office network complete with firewall, VLANs, WiFi Access Point and OpenVPN remote access.

Ubiquiti EdgeRouter Lite Network Diagram

Ubiquiti EdgeRouter Lite Network Diagram

Happy networking,

Bob Jackson

Copyright © 2019   Reproduction strictly prohibited.


  1. Evan Pols August 30, 2011 at 6:03 pm

    This appears to be exactly the sort of information I’m looking for. I have to put one of these in Bridged mode in a few days to use my third party firewall, and this looks like an awesome summary. Thank you!

  2. Nick Clark July 9, 2012 at 5:09 pm

    So nice to see this :-) I ran into a SMCD3G but the sale principles applied. I thought I had originally setup the modem to perform true/clean bridge mode but something wasn’t right when I was port scanning it…seeing a different public address than what was configured in my SonicWALL. Anyway, I matched the setup w/ exception to my own public ip’s and it finally put me into true bridge mode. Thanks for your time Bob!

  3. Desperate July 13, 2012 at 1:33 pm

    All real good information but I still can not connect my back office to my store where my db is.
    I’ve turned everything off but for port forwarding rules, entered my info from BO and no connection. Comcast could care less, all they care about is that I have internet service.
    I need a tech(with experience) in the Fort Lauderdale area to contact me.

    • Bob Jackson July 13, 2012 at 11:11 pm

      Can you provide a network diagram of your LAN with servers and applications? I realize this is sensitive info. You can e-mail me at the About page.

      The Mobotix network camera project sits behind the Comcast cable modem / router. It should be comparable to your network in concept.

  4. Scott Castro August 14, 2012 at 9:59 am

    Excellent article. Thank you so much. You helped me avoid dealing with the sometimes frustratingly ignorant Comcast Tier 1 support. Of course I used a different device than the Linksys router but the modem setup was right on the money. Thanks again.

  5. Tim Nelson October 13, 2012 at 12:16 am

    Hey Bob, nice wiki – well done.
    Question, why would you need ddns if you have a static IP address?
    Another question I have; is it possible to do the same concept, with a public DHCP address from Comcast (business class)?

    What I want to do, is use the public IP address assigned to my SMC, and keep it registered with my web address pointed to dnsexit’s ddns servers. That being said, I wouldnt need a static IP, since I could continue to reference my domain name.

    If I do this, is it possible to set the config on the SMC like you did, and on my Cisco WRVS4400N configure it to point to my SMC(without using a public static IP)?

    Basically I am trying to just trying to set up a IPSEC VPN to my SMC via domain name->DDNS -> Port Forwarded to the static LAN IP on my WRVS4400N.
    Can you set up the WRVS4400N as a router instead of a gateway and do this? I have tried everything.

    • Bob Jackson October 13, 2012 at 2:11 pm

      > Question, why would you need ddns if you have a static IP address?
      This project example is one of several similar networks at different locations, some are served by DSL modems and other sites by residential class cable modems that only have dynamic WAN IP addresses. For consistency, I configured all the networks with DDNS. DDNS also makes it easier to remember the host name when typing in the URL versus a numeric IP static address. While I normally bookmark the URLs, sometimes I’m at a new computer or tablet and have to type in the URL from memory.

      > is it possible to do the same concept, with a public DHCP address from Comcast (business class)
      That was my first approach only to learn that Comcast’s Business Class DHCP IP addresses are not publicly routable. This is the “Remote Internet Access Problem” described at the beginning of the project. The only solution for Business Class service is to subscribe to a static IP address from Comcast. The Business Class public IP address cost is something like $15/month last time I checked.

      Note that Comcast Residential cable modem service with DHCP addresses are publicly routable and the DDNS service works great for remote access to your home network. I’m a Comcast subscriber and DDNS works great for my home network.

  6. PJ Dale October 29, 2012 at 10:57 am

    Hi Bob, great job and easy to understand.

    Does comcast have a better modem that i can ask for?

    How will I set up this modem with a cisco small business modem wit VPN.

    I would like to set up the VPN so I can dial from home.

    I have 1 static Ip address.

    • Bob Jackson October 29, 2012 at 6:05 pm

      > Does Comcast have a better modem that i can ask for?
      You will need to ask Comcast if other cable modem options are available in your area.

      > How will I set up this modem with a cisco small business modem with VPN?
      VPN configuration is outside the scope of this tutorial. A Google search for “cisco vpn setup” should get you started.

  7. NICOLE HESS December 28, 2012 at 8:14 am

    I have read this article because it mirrors what I’m trying to do at a remote site for our business. I have had Comcast put my smc gateway in the equivalent of “bridge mode” and tried to set my linksys router wrt150n which is behind the modem with the Comcast info to allow it to hand out DHCP so I can port forward or simply put a static ip on a HP4250 printer and add it to my network at corporate,to no avail. My router stops accessing the internet when i save the settings if i set it while its connected to the SMC, and if I unplug and then set it and save , when I plug it back in I get the private ip addresses like … assigned. I’m new to networking and my boss is getting mad I cant do something simple like get a printer printing at a remote site, I’m at my wits end. Please help.

    • BobJackson December 28, 2012 at 10:01 am

      Hi Nicole,
      This forum isn’t for general IT Support, but I’ll try to help.

      Based on your description where the SMC is handing out a 10.x.x.x LAN IP addresses to the Linksys router, I makes me think you are not subscribed to the Comcast Static IP address service. A static IP address is an optional service for an extra fee. Please confirm that you have a static IP address with Comcast.

      Assuming you have purchased a static IP address from Comcast, the next troubleshooting steps are go back to the basics:
      * Make a simple network diagram with your IP addresses and subnets as shown above.
      * Review the SMC router configuration with Comcast Support.
      * Do a factory reset on the Linksys router and configure it from scratch. Your computer should be plugged directly into the Linksys LAN port for this step. Power cycle the Linksys so it’s synched with the SMC gateway. Verify you can access the Internet from your computer.
      * I would assign a static LAN IP address to the printer behind the Linksys as per the “Remote Internet Access to LAN Clients” topic. DDNS isn’t needed with a WAN static IP address, but it does make it possible to give the printer an easy to remember host name.

      Take care,

  8. Patrick January 30, 2013 at 1:55 am

    Bob—just wanted to say thanks for this article. I was having this exact problem with my AirPort Extreme and my new Comcast internet service, and your instructions worked flawlessly (and undoubtedly saved me a bunch of time and grief dealing with Comcast tech support). Many thanks for sharing this.

  9. Eric GM February 1, 2013 at 1:06 pm

    Hi Bob.

    A year and a half later, this article is still helpful. We’ve put an embarrassing number of hours into trying to deploy a Netgear firewall under a Comcast setup like this. It’s still in process, but the answer we’re getting now is that it doesn’t work because the SMC is not in true bridge mode (and that doing so brings down the entire network until the firewall works properly). We’ve had various accounts of what true bridge mode means, so this is a chance to implement that scenario. Trying it this evening…

    • BobJackson February 1, 2013 at 1:45 pm

      Let me know about your success. Thanks!

  10. Shon Gale February 25, 2013 at 4:28 pm

    Love your article.
    I have an SMC 8014 from ComCast with 5 static ip’s. I have a NETIS ST3123 8 port 1GB router and a D-LINK DI-604.
    Once I have Comcast set my modem to bridge mode, is there anything else I need to do to assign a static ip to each router?
    Can I add another D-LINK wireless router to another one of the ip’s?
    Any info you can tell me or pitfalls to watch out for would be a great help.

    • BobJackson February 25, 2013 at 9:09 pm

      Hi Shon,
      The NETIS ST3123 is a switch, not a router. It’s only for connecting LAN clients to the router.

      The D-Link DI-604 router doesn’t support the Comcast static public IP addresses on LAN clients, so what you’re probably thinking won’t work:
      Comcast — SMC8014 — D-Link router — NETIS switch –X– LAN clients with static public IPs

      The D-Link DI-604 will NAT between it’s Comcast static public WAN IP and the private LAN IPs, so you won’t be able to reach your connected devices from the Internet.

      What will work is:
      Comcast — SMC8014 Port 1 — D-Link router #1 — NETIS switch — LAN clients with private IPs
      Comcast — SMC8014 Port 2 — D-Link router #2 — LAN clients with private IPs
      Comcast — SMC8014 Port 3 — single device (computer, web server, NAS, camera, etc.) with a public static IP
      Comcast — SMC8014 Port 4 — single device (computer, web server, NAS, camera, etc.) with a public static IP

      where [Comcast — SMC8014 Port X] refers to the same SMC8014 gateway.

      The reason that devices assigned a Comcast static public IP address must be connected to a SMC8014 LAN port is because Comcast will route the static public IPs for you.

      If you’ve actually bought 5 assignable static public IP addresses from Comcast, you’ll notice you’ve run out of ports on the SMC8014 since you have 5 usable IP addresses but only 4 LAN ports on the SMC8014. Not a problem, hookup your network as so:
      Comcast — SMC8014 Port 1 — NETIS switch — 2 devices with static public IP addresses
      Comcast — SMC8014 Port 2 — D-Link router #1 — (another Ethernet switch) — LAN clients with private IPs
      Comcast — SMC8014 Port 3 — D-Link router #2 — LAN clients with private IPs
      Comcast — SMC8014 Port 4 — single device (computer, web server, NAS, camera, etc.) with a public static IP

      The NETIS switch is “transparent” to the SMC8014 and your public static IP devices will be routed correctly by Comcast.

      To be more precise, you can connect 1 to 5 devices with static public IP address to the switch:
      Comcast — SMC8014 Port 1 — NETIS switch — 1 to 5 devices with static public IP addresses

      BTW – It doesn’t matter which LAN port # you connect the devices to on the SMC8014, they all work the same.

      Take care that devices with static public IP addresses will be visible to the entire Internet (worldwide) and vulnerable to hacking. Change all default logins and use strong credentials, disable all unnecessary services, run an anti-virus/firewall on all computers and servers, plus any other security measures supported by the various devices. Your devices will be probed and hacked in minutes if left unsecured.

  11. TCCrab March 12, 2013 at 7:06 pm

    Wish I had found this article about three weeks ago.
    Would have saved me a *LOT* of frustration.
    Too bad the Comcast Tech Support people don’t know about this stuff, or perhaps they do know and won’t share the information.
    I had been hosting a domain and serving my own emails while a Comcast Home Broadband User.
    They found out (after 9 years, took ’em long enough) and they blocked my Port 25 (SMTP). and Port 80 (HTTP).
    I called and confessed my sins and begged for absolution by upgrading to Comcast Business Class.
    They installed the business class cable modem and still no emails.
    Multiple calls to tech support with no joy.
    Even their tier 2 support weren’t able to get it back up.
    Upon further investigation I found that they had installed a “Gateway” and not just a simple cable modem.
    That “Gateway” doubles as a router.
    Now that i knew what I was up against, a quick search using:
    “How To Configure A Comcast Business Class Static IP address” and VIOLA!!
    The answer I needed.
    Thank you HandyManHowToGuy!!!!

    Folsom, CA

    • BobJackson March 12, 2013 at 8:27 pm

      Hi Tom,
      I’m pleased my application note helped you. The issue is Tier 1 Tech Support personnel aren’t solution engineers, it’s just the nature of a mass market call center.
      Take care,

  12. Shon Gale March 19, 2013 at 2:07 pm

    Bob; thanks for your help. It’s greatly appreciated. I am trying once again to make this happen. I got a hold of a LinkSys WRT54G which the doc say is the predecessor of the 160n so if you know any different please let me know otherwise I am going to go for it.
    Once again thanks

    • BobJackson March 19, 2013 at 3:25 pm

      A Linksys WRT54G or any current WiFi router should do just fine.

  13. Shon Gale March 20, 2013 at 6:13 am

    Thank you much sir! I will try it today. I need to make it work. I have 2 lines in here, 1 for my server and 1 for my dev testing and the second line costs $72.00 a month (almost as much as business class) and I really want to get rid of it. They are such a ripoff for the consumer. Business kinda get a break, which is ass backwards of the normal way of doing business.
    Once again thanks!

  14. Terry Platt April 3, 2013 at 6:01 am

    Can you recommend a router without WiFi?
    Or, can I use the Apple WiFi already in place?

    • BobJackson April 3, 2013 at 7:29 pm

      WiFi is not required, any router that supports a static WAN interface IP address should be fine.

  15. jquill April 30, 2013 at 4:38 pm

    I’m trying to get an Airport Extreme router set up for a new Comcast Business Class Static IP account. It’s not active yet, but they did email the network settings. I tried plugging them in to the router to get it ready to test but keep getting an Invalid Value error – The router address you have entered is not compatible with your WAN IP address. The Static IP is; Subnet Mask; Router Address/Gateway is The router does not appear to like a Gateway address higher than the Static IP. Is this normal or perhaps a limitation in the Airport Extreme.

    Any feedback would be helpful. Thanks.

  16. jquill April 30, 2013 at 8:17 pm

    Thanks. I have another extreme router that has been running on a DSL modem connection with a static IP for a few years and has not had a problem. In that case, the IP address ends in .127 and the gateway ends in .1; the router is happy with that. On the new Comcast circuit, the gateway address is higher than the Static IP (.79 IP and .80 Gateway) and the router will not seem to allow that; pops the Invalid Value error message. I’m not a network guy, so I was basically wondering if it was unusual to have a Gateway address higher than the Static IP address or did Comcast perhaps send me bad data.

    Thanks again…

    • BobJackson April 30, 2013 at 8:41 pm

      The Comcast public static IP address ranges are valid: .79 static ip for your Airport Extreme WAN interface and .80 for the gateway. Best I can do as is offer a few more bread crumbs based on the same error message “The router address you have entered is not compatible with your WAN IP address”. These links suggest the LAN side should be set to DHCP or the LAN subnet mask was modified.

      Set up with a static IP

      Changing Subnet mask in Airport Utility

      Please write back when you’ve solved the problem.

  17. jquill May 7, 2013 at 5:59 pm

    Well, it turns out Comcast gave me the wrong IP address and the wrong Gateway. After a couple of calls they gave me addresses in the proper block range.


    • BobJackson May 7, 2013 at 6:37 pm

      You’re welcome! Thanks for writing back.

  18. John May 26, 2013 at 11:20 pm

    Good article, this brought me about 99% of the way through what I’ve been (pondering) getting done for a couple years now.

    What is your recommendation for port 80? I’d like to be able to hit an internal web server on port 80, but I also don’t want to lock out all control of the comcast bridge from both ends.

  19. eddy123 May 29, 2013 at 9:45 pm

    I have the comcast business server side setup as recommended by comcast for vpn access, and we have the static ip, etc, but what settings are needed to connect via Shrew Soft VPN?

    • BobJackson May 30, 2013 at 11:58 am

      VPN client and gateway setup are outside the scope of this project. Contact Shew Soft technical support for product configuration assistance.

  20. HarKenToh June 7, 2013 at 3:39 pm

    Great article – Comcast should have it on their support site (for a fee, of course).

    Thanks a lot!

  21. Suzy Brown June 14, 2013 at 12:49 pm

    You are a god send…my experiences with Comcast reflect everyone else here. They actually messed up our system so bad we had no internet for 6 hours, which is forever in a business with no credit cards being processed! Anyway I just wanted to post my thanks.

    Suzy Brown

    • BobJackson June 14, 2013 at 2:41 pm

      > They actually messed up our system so bad we had no internet for 6 hours…
      Have you considered the Square credit card reader as a backup system?

      Sign up for a Square account and keep the Square reader in the drawer until you need it. If an Internet or Phone outage disables your cash register credit card reader, plug the Square reader into your iPhone/iPad/Android and you’re back in business. You’ll pay $0 per month and about 3% per swipe only when you use it (other pricing plans are available).

      I was at my favorite cigar store and the countertop credit card reader out of service because the phone lines were down. The store proprietor plugged the Square reader into his iPhone, swiped my Amex, the credit card transaction was processed via the cellular data network and I received the receipt via e-mail.

  22. Breanna July 3, 2013 at 11:49 am

    I have Comcast Business internet service, at my place of work and im wondering how do i get wifi with it, because i have devices that i want to connect to it for customers.

    • BobJackson July 3, 2013 at 6:29 pm

      There are two ways to setup WiFi:
      1. Comcast XFINITY® WiFi hotspot.

      If you expect more than 20 to 30 simultaneous wireless customer connections or are located in a busy public area (e.g. food court at the shopping mall), I’d go with XFINITY WiFi HotSpot because Comcast will manage the WiFi router and it will be on a separate Internet connection from your Comcast Business Class Internet (more bandwidth for you!).

      2. Buy a WiFi router and connect it to your Comcast cable modem. I’ve illustrated this configuration in the project network diagram.

      Should you setup your own WiFi router, configure a WiFi access password so only your customers can use the service. This will prevent “drive by” public users from leaching on the service.

  23. luke July 24, 2013 at 7:06 pm

    Here is how I got this setup to work WITHOUT having to have comcast change me to a static IP.

    I found the trick was to put the comcast modem/router on (LAN side), and then the new router on for the LAN(thats what the comcast router was before the switch, and I didn’t want to change any of the clients on the network). This thankfully lets me access both of their web interfaces from a browser on the LAN. Then I plugged the WAN port on the new router into the comcast modem/router, and had it get an IP from the comcast box (set this lease to forever). I set the comcast box to DMZ

    I use Remote Desktop Protocol all the time so I had to get port forwarding working. I have the comcast box forward what comes in on port (9100 in my case) to the new router’s WAN IP( with the same outside port (9100 in my case), and had the new router then forward it to the correct client IP on the internal port 3389. So it was pretty easy once I had the right plan.

    • T Bridges February 17, 2016 at 7:05 pm

      Luke – I’m trying to do this same thing with my Business-class Comcast gateway – I don’t want to pay $19/month for ONE static IP address…I think that should be included for the price that I’m paying. Any way, can you email me – I had a few questions for you ( – thanks.

  24. luke July 24, 2013 at 8:41 pm

    You can also get the wifi to work with the comcast modem/router by using a wifi router and disabling it’s dhcp. Set the wifi router to be on a static IP in the same range as your network (but on an IP just outside of the dhcp settings on the comcast router/modem), use an ethernet cable to go from the dhcp disabled wifi router’s LAN port (not the WAN) to a LAN port on a switch or the comcast modem/router. This worked flawlessly for me.

  25. luke July 24, 2013 at 8:52 pm

    In my post about about how I setup a wifi router behind a comcast modem/router (model 8014). I made a type-O on the DMZ I setup. The DMZ I setup on the comcast box was to the WAN port on the new wifi router. So should be (not as I typed). I’m not sure this is required, but I wanted the WAN port to be straight through from the comcast box without the comcast route/modem doing firewall stuff on it, since the new wifi router has it’s own firewall.

    • BobJackson July 25, 2013 at 7:40 am

      Are you using a Dynamic DNS (DDNS) update service on your WiFi router to discover the Comcast DHCP-assigned (i.e. dynamic) public IP address assigned to the SMC 8014 WAN port to access your LAN devices via Remote Desktop Protocol? DDNS would allow the Remote Desktop Connection to be configured with a URL instead of the changing Comcast WAN public IP address.

      Allow Remote Desktop connections from outside your home network

      Thanks for the insights!

  26. Juan July 28, 2013 at 11:17 pm

    Somebody please help me!!!

    I just signed up for Comcast Business Class, I have 5 static IP’s, I purchased a Netgear R6250 WIFI router and I’m trying to figure out a simple way to assign my static IP’s to my Foscam security cameras! I’ve been reading blog after blog and so far I think I rather get my teeth pulled!! There has to be a simple way to do this even for a rookie like me to figure out!! Comcast has put my modem in “bridged mode” (honestly I don’t know what the hell that does)!

    First I need a step by step explanation on how to configure Cable Modem Gateway (Netgear CG3000DCR) and the Netgear Wireless Router (R6250) I purchased and how to assign the static’s to my cams!! I would sincerely appreciate any assistance!!!

    Anybody up to help a me? Please?

    Thanks a bunch!!!!

  27. Jose August 1, 2013 at 1:41 pm

    Please don’t call this ‘Bridge Mode’. The SMC8014 doesn’t have that functionality. What you’re really describing above is disabling the NAT engine on the Comcast device so you can use the static IP block that you purchased. But this is all still layer 3.

    • BobJackson August 2, 2013 at 8:12 pm

      “Bridge Mode” is the term that users ask for and understand. The fact that Comcast Tier 2 will disable NAT to accomplish the equivalent functionality is beside the point.

      Comcast refers to it as Bridge Mode in everyday language, so maybe it’s best you post your concerns on the Comcast Business forum.

  28. Dino September 30, 2013 at 8:18 pm

    This article is tremendously helpful, but unfortunately has not quite solved my problem.

    I have a Sonicwall firewall in place of your Linksys. If I setup the SMC Gateway to use DHCP and hand out addresses, the client machines behind the Sonicwall (192.168.0.x) can browse the web.

    However, if I turn off DHCP, NAT etc. on the SMC Gateway and change the WAN and router addresses on the Sonicwall to the Comcast assigned Static IP addresses, I can no longer browse the web. Yet, I can still ping sites on the internet from client machines behind the Sonicwall,

    This would suggest it is not a DNS problem (since I am pinging my domain name) and not a port blocking problem on the Sonicwall as I have not changed these settings between the two configurations.

    Any ideas what to try next?

    • BobJackson October 1, 2013 at 7:27 am

      Hi Dino,
      See if the SonicWALL: Configuring a Static IP Address with NAT Enabled instructions solve the problem. The SonicWALL firewall will have a public WAN IP while enabling NAT and DHCP for LAN clients.

      Also see the “UTM: How to configure the SonicWALL WAN/X1 Interface with Static IP Address” – Configuring the SonicWALL WAN interface (X1 by default) with Static IP address provided by the ISP – article in the MySonicWALL Knowledge Portal under the Support menu.

      The SonicWALL UTM appliance is fairly complex. If you’re still having trouble, please open a Service Request at the MySonicWALL portal. The SonicWALL support tech can take a look at your firewall configuration to fix the problem.


  29. Kenneth Moore October 22, 2013 at 3:50 pm

    I pulled my hair out for most of two days trying to get public access to an internal web server on a Comcast business account with a static IP. It should be as simple as putting the CG3000dcr into bridge mode, and uplinking to my Linksys AP/router which is configured with the static ip and info from Comcast. The Linksys is also setup to forward inbound requests (80 and 21) to the webserver. Simple, except that there is a setting in the cable modem that can only be seen/modified by Comcast that must be changed. After almost two days and three support calls to Comcast, my webserver is now visible to the outside world.

  30. Ken March 18, 2014 at 10:21 am

    I have a Comcast Business modem/router. Set to pass thru mode. Everything is off except port forwarding ( can’t uncheck box ). Behind the Comcast I have a Netgear FVS318N. My network connects to the FVS thru a switch. On the network I have one server which my software people need to telnet into. I port forward port 23 to the server ( 192.168.2.xx ) with no luck. I test and get a response of “the connected party did not respond”. I know the server is listening on port 23. From the logs on the FVS router, I see incoming port 23 to the server but no outgoing.

    • Bob Jackson March 18, 2014 at 3:23 pm

      > Comcast Business modem/router… Everything is off except
      > port forwarding ( can’t uncheck box )
      Have you contacted Comcast Technical Support to disable port forwarding on the modem/router? Best to get this out of the equation so you’re not troubleshooting a NAT issue beyond your control.

      > I have one server which my software people need to telnet into.
      > I port forward port 23 to the server ( 192.168.2.xx ) with no luck
      While I’ve no experience with the NetGear FVS318N Wireless N VPN Firewall, I would follow the Virtual Private Networking
      Using SSL Connections starting on page 266 of the FVS318N Reference Manual and more specifically Configure Applications for Port Forwarding on page 273. An SSL encrypted VPN is secure for carrying the what would otherwise be unencrypted telnet traffic. In my business we always disable telnet because it is insecure with user name and passwords sent in clear text.

      If you don’t or can’t use the SSL VPN option then SSH is an encrypted alternative to telnet that could be port-forwarded. Check that LAN WAN firewall rules are configured to admit the SSH (or telnet) traffic.

      Hope this helps,

  31. Lynna Anderson March 18, 2014 at 12:00 pm

    Thank you so much for this walk through. I have been pulling my hair out trying to get my camera to work and finally got it going. Thank you so much!

  32. jay March 31, 2014 at 3:24 am

    Bob i followed your instructions to connect my cameras. The only thing different is that i am using a netgear wnr1000v2 router and was able to set up the port forwarding but unable to connect from a remote computer. I have the comcast buisness and am using a static I.P address for my router (Have five total) and have the DVR connected to the router along with multiple devices(LAN) using a netgear switch. the other three ports are connected to VOIP phones as for some reason dont work properly via the router and am able to use a d-link switch for extra ports. so i am not using any other static IP’s.
    I type in the Static IP address of my router on the i.e.browser at my home computer and no connection. what am i missing ? Please help!!!!

    • Bob Jackson March 31, 2014 at 7:43 pm

      Hi Jay,
      Have you asked Comcast to confirm the cable modem is configured for “bridge mode”, meaning the Network Address Translation (NAT) function is disabled?

      Can you ping the Comcast static IP address assigned to the WAN port of the Netgear WNR1000 WiFi router from the Internet? See page 63 in Section 4-6 “Configuring the WAN Setup Options” of the WNR1000 User Manual for instructions to enable ping. If you can’t ping the Comcast static IP address assigned to the Netgear WAN port, that needs to be resolved first.

      Did you configure static LAN IP addresses for the cameras? The cameras must have a static LAN IP for port forwarding to work to a fixed destination. You’ll also need to configure the camera itself to disable DHCP and use a static LAN (private) IP. See the “Static IP Address and Port Forwarding Configuration” section in this article for assigning static LAN IP’s above the WiFi router DHCP range. This related article may be helpful, too.

      You could sign up for a free DDNS service like no-ip and enable DDNS on both the router and the camera. DDNS works for both public (WAN) and private (LAN) static IP addresses. The DDNS account hosts page will show the IP address actually assigned to the router and camera to help your troubleshooting. If the no-ip DDNS hosts page reports a different WAN IP address for the Netgear router than the Comcast static IP address you assigned, that’s your problem. Check the Netgear WAN static IP address settings again and if it looks OK, check back with Comcast to enable bridge mode on the cable modem.

      Make a network diagram for each device in the daisy chain with the pertinent network information. A diagram is extremely helpful for mapping each device configuration and hop in the network.

      Let me know when you find the problem.


  33. Samy April 15, 2014 at 1:01 am

    How different is the setup when one has a Dynamic IP with Comcast and wants to add a separate VPN router? DO we still need to Bridge the comcast router modem or ?

    • Bob Jackson April 15, 2014 at 8:15 am

      You’ll need to consult your router documentation. This article explains how to setup a Linksys VPN with DDNS.

  34. Steve April 22, 2014 at 6:27 pm

    Great article, but I have what may be one of those ‘stupid’ questions.

    In the diagram you show the LAN private IP address of the modem as the default but show the show the WAN public IP address of the firewall as one of the static IP addresses provided by Comcast.

    Is this correct? How does traffic route from the firewall to the router when on two different sub-nets?

    Secondly I’ve just recently been advised by 1st tier Comcast support that they no longer ‘support’ placing the modem in bridge mode.

    • Bob Jackson April 22, 2014 at 8:02 pm

      Hi Steve,
      You’re asking insightful questions.

      The SMC8014 LAN private IP address is how you access the SMC8014 configuration GUI and doesn’t change. You can only reach that IP address if your WiFi router pulls an DHCP IP address from the SMC8014 so it’s in the same subnet. Therefore you’re not routing between the static (e.g. 173.x.x.x) and private 10.1.10.x subnets since your network is either on one (DHCP assigned private space) or the other (static, public or Internet routable).

      > I’ve just recently been advised by 1st tier Comcast support that
      > they no longer ‘support’ placing the modem in bridge mode.
      Bridge mode is the generic term that most people ask for but it’s actually disabling the 1-to-1 NAT function. Also see this screen image.

      The Comcast Business IP Gateway overview page now states:

      Comcast can configure the Gateway according to customer specifications. However, we will only disable a customer’s firewall and DHCP service on the Gateway upon request.

      So if you or Comcast disable the SMC8014 firewall, port forwarding, 1-to-1 NAT, etc. as detailed in this tutorial it should work.

      Take care,

  35. paul May 23, 2014 at 8:53 am

    Dude great writeup. The problem I was having was not putting the right gateway on the 2nd router! You rock

  36. nsical June 26, 2014 at 1:25 am

    Thanks Bob. I was having a problem configuring our Cisco ASA 5505 so it can NAT one of the external IP’s in our comcast business IP block. However, there was no traffic to ASA which had one of the external IPs. I figured from this article that comcast modem had DHCP enabled. I disabled it and it worked. After spending several days on ASA, this article saved my day.


    • Bob Jackson June 26, 2014 at 6:23 am

      You’re welcome,

  37. Lisa July 20, 2014 at 7:23 pm

    Thank you! This was very helpful when I went to switch from another service provider to Comcast. I was able to determine how to disable all the functions on the Comcast router, then determine which Comcast ip addresses to use in the sonic wall without having to hire an IT person! Yay ! ! ! The only glitch I had was the comcast router did not specify the subnet mask on the WAN IP, but I plugged in the one you listed above for the 5 IP address scenario and it seems to be working fine. All of my other settings in the sonic wall firewall were good to go. I didn’t need to change anything else. I am so please with myself. All of my ports are forwarding nicely. I have been able to login remotely on several apps. Thank you so much! Had I not found this it probably would have taken another IT person or Comcast hours to figure this out.

    • Bob Jackson July 20, 2014 at 7:57 pm

      Terrific! Thanks for sharing your success story.

  38. Charlie Johnson July 30, 2014 at 7:23 am

    Can I use the additional 3 ports on the comcast modem?
    I am using bridge mode with one static IP for a network that’s protected by a firewall. I’d like to set up a computer outside my firewall.

    • Bob Jackson July 30, 2014 at 5:43 pm

      You can use the other three LAN ports on the NETGEAR CG3000DCR for other devices. There are two approaches:

      2 or more Useable Comcast Static IP addresses:
      If you purchased two or more useable static IP addresses just connect your router/computer/etc. device into an available LAN port and configure the static IP address on that device.

      Enable LAN DHCP on the Comcast Gateway:
      If you enable LAN DHCP on the NETGEAR CG3000DCR then it will assign a 10.1.10.x range dynamic IP address to your computer and you can surf the Internet like it was a normal cable modem. This compliments (i.e. won’t break) the Static IP address configuration in the tutorial so you have the best of both worlds.


  39. Richard Agyei August 10, 2014 at 11:13 am

    Thank you. This seems to be exactly what I’m looking for. The comcast CSR’s have so far been unable to direct me on exactly how to do this.

  40. Paul Gandhi August 15, 2014 at 6:05 pm

    I have netgear 3000 comcast business modem
    Comcast said I have dynamic ip
    Do you thing it will work like you mention without static ip

    • Bob Jackson August 15, 2014 at 7:04 pm

      It will not work with a dynamic IP address.

  41. Eric B. Webb September 10, 2014 at 3:30 am

    I just literally finish setting up my Comcast Biz Inet. I have a netgear CG3000DCR and the config(s) worked flawlessly. I’m using a Cisco 1941 ISR instead of a linksys.
    Thanks Bob.

  42. James September 11, 2014 at 11:01 am

    Excellent article and I would like to add one thing is that Comcast can also put the modem into real bridge mode if you ask them but the policy was at the time, a few months ago, that you could not get a static ip address(es) from them if you did that.

  43. Jesse Pereboom October 4, 2014 at 3:03 pm

    I am in the middle of this project and this information looks extremely helpful. Just wanted to thank you in advance for putting this together. Can I make a donation?

  44. Grant November 21, 2014 at 8:51 pm

    Great Doc!!!!

  45. TW December 2, 2014 at 2:24 pm

    I have static block and checkpoint 1140 router. Firewall is disabled on Comcast netgear router as above.
    If i connect computer directly to modem with dhcp enabled then get speed of 100/20. when I connect thru checkpoint get speeds of 50/12. Anyone have any ideas why this big gap?

    • Bob Jackson December 2, 2014 at 8:32 pm

      I haven’t used the Check Point 1140 firewall, but both the Check Point 1140 and the NETGEAR CG3000DCR support 1000 Mbps copper Ethernet speeds.

      The packet throughput constraints I’ve seen in similar small office firewall appliances was caused by CPU limitations. The appliance wasn’t able to run at full “wire speed” when inspecting packets against firewall and IPS rules/patterns. The 1140 spec sheet mentions “Firewall and IPS Throughput (Mbps): Up to 30” based on 25 users. The actual performance depends on how it’s configured.

      Try disabling the Check Point firewall and IPS functions so it’s acting like a basic router and run a speed test. If you get the full 100/20 Mbps from the Comcast gateway then you’ll need to consult with Check Point for performance tuning or maybe upgrade to a larger appliance.

  46. Ari G December 8, 2014 at 11:27 am

    Used this article and was very helpful when flipping to the new Comcast Gateway. While MANY people have had issues with the firmware of that gateway, but I popped it RIGHT into bridge mode to let the SonicWALL deal with everything, using Cat6, and have had no problems (knock on wood).
    I am also not clear on what the network diagrams of these frustrated people are, whether or not they have physical line problems, if they are dealing with VOIP, or not. (I DO know that historically, Comcast tries to bump-off VOIP connections in residential scenarios.)
    Your statement on Dec 2 of 2014 is EXACTLY the kind of stuff that IT guys MUST understand when looking into and buying network hardware. More expensive devices include the better engineering and the greater processing power. While 15 years ago the web was a lot less complicated, today it is and small offices NEED to spend the money on more power than what was assumed years ago.
    In any case, I am appreciative of the time you’ve spent to write up the information in this blog and encourage you to continue on!!!

  47. Brad Pitcher December 15, 2014 at 7:33 pm

    You saved my life! You, sir, are a true gentleman

  48. jinngonqui January 8, 2015 at 10:57 pm

    I need to route one of my Comcast static IP’s to the static LAN IP of a camera. Here’s my set-up: Comcast Gateway (no DHCP, no forwarding, etc.) — Juniper ssg5 [static Comcast IP] (DHCP, etc.) — Switch A — Switch B — Camera [static LAN IP]. I am confused with why a basic 1-to-1 NAT with the WAN IP to the camera LAN IP isn’t working. Comcast online documentation suggests the static routing needs to be set-up in the Comcast Gateway for the relationship with the Juniper firewall — but, it is not clear what the Gateway IP should be, or the Destination IP for that matter. Setting the Dest IP to the camera LAN IP, and the Gateway IP to the WAN IP didn’t do the trick either. A ton of googling and a call to Comcast haven’t helped. This article and the discussions are all really close to what I need, but just a bit off of getting the specifics. It would seem this is a simple matter, apparently not. Any guidance would be greatly appreciated.

  49. Mr B February 5, 2015 at 9:44 pm

    Well I’ve got the 5 static IP’s form Comcast and the NETGEAR CG3000DCR modem. The NAT, port fwd, DHCP etc. are all disabled as in above. Still only directly attached PC’s on the LAN ports w/static IP are pingable, my internal NAT’d server is not reachable. The firewall is a SonicWall, interface set w/next static IP from gateway IP, access rules allow traffic etc.
    Seems this should work… missing something?

    Odd thing is none of the statics other than gateway IP were usable until after a call to support.
    I have similar setup working elsewhere (non-comcast).

    • Bob Jackson February 5, 2015 at 10:19 pm

      Best to inquire with SonicWall technical support because I have limited experience with that product and haven’t tested it the Comcast Business Class service. A Wireshark packet capture may provide insights as to why the NAT’d server isn’t reachable. e.g. If packets are leaving the SonicWall but the server isn’t responding, or the server is responding but the SonicWall is filtering the responses, etc. to isolate the issue.

  50. Aidan I February 5, 2015 at 10:27 pm

    Much appreciated. Used this successfully today.

    • Mr B February 6, 2015 at 10:27 am

      Thanks Bob, it does seem that ICMP’s are recieved via packet capture, but not going out (despite allow any any).
      Maybe another SonicWall user on this post has a reply.

  51. Scott D. Burgner February 16, 2015 at 5:11 pm

    Thanks, Bob, for putting together such a detailed article. You saved us quite a bit of time.

  52. John Cowan February 20, 2015 at 7:05 pm

    Hi Bob,

    Thanks for the great article and continuing help. I will join the fray!!

    We have Comcast Business with 13 static IP’s (presently using only one!). We plan to scale back to 5 IPs.

    Our IT ghuru is using an EdgeRouter lite and an unbridged CG3000dcr. The EdgeRouter feeds into a LAN ( spread over 3 buildings using fiber connected switches (NetGear GS110TP). In addition we have Comcast Voip using an Avaya 500 V2 controller and a separate Comcast modem for that. The phones use the LAN to connect to the controller.

    What I would like to do is dedicate (a Tieline codec) to its own WAN IP address with 3 ports forwarded. Later we will need to assign the other WAN static addresses to specific static addresses on the LAN (perhaps the phone controller).

    How does the pseudo-bridged Comcast modem present multiple external IP’s to the router so it can attach them to specific LAN addresses?

    Many thanks

    • Bob Jackson February 21, 2015 at 1:09 pm

      The Comcast gateway will present all useable public static IPs in your CIDR block to the gateway LAN ports. Your router configuration will decide where to route the static IP addresses.

      I think what you wanting to do is configure the EdgeRouter Lite for multiple static WAN IP addresses. See the Multiple IP on WAN with two LAN – NAT tutorial on the Ubiquiti Networks Community forum. Note the two public static IPs assigned to the WAN1 Eth0 interface.

      For other readers with a Linksys WiFi router, see the Multiple public IPs with one router using DD-WRT for a similar solution.


  53. Tom P March 9, 2015 at 10:39 am

    Hi Bob,

    I have followed your instructions above and still can not get an ipsec remote vpn tunnel to work.
    Comcast replaced the Cisco DCP3939 with the Netgear router you are showing above and it is configured exactly as you describe. We have one static public IP from Comcast.

    My internal LAN gateway is a Cisco ASA5505. The Netgear router does not see our ASA to port forward. Any ideas on what can be done?

    It also is not possible to enter a static route to the public ip on the ASA, I can only static route to the device.


  54. MrPete March 20, 2015 at 5:44 pm

    For what it is worth, you do NOT need to use multiple ports on the Comcast end for multiple static IP’s. It all depends on your internal router.

    You’ve already gone partway there in an example: 3 IP’s on separate ports, 2 IP’s on a shared port.
    To take it further, all 5 IP’s can be managed by a single internal router, as long as it is capable of handling this.
    It’s not difficult if the router is running DDWRT, Linux or any other reasonably powerful routing system.
    With DDWRT for example, I just added the following to the startup script and all static IP’s were available for further use:
    /usr/sbin/ip addr add 50.xx.xx.45/28 dev vlan2
    /usr/sbin/ip addr add 50.xx.xx.41/28 dev vlan2
    /usr/sbin/ip addr add 50.xx.xx.42/28 dev vlan2
    /usr/sbin/ip addr add 50.xx.xx.43/28 dev vlan2

    (the “/28” depends on the size of the assigned block. In this case, MORE than 5 IP’s.
    Hope that helps someone…

  55. Earl Cory April 13, 2015 at 2:59 pm

    I have a Netgear CG3000DCR router and have it configured in the pseudo-bridge mode. I checked your article and my configuration and yours are the same.

    Instead of a Linksys router, I have a Small Business Server. The SBS DHCP server stops and the log file indicates that there is another DHCP server on the network. IP address is that of the IPV6 server on the Netgear, even though it is disabled.

    When I place a Zywall firewall in between, I remove the DHCP problem. But the Netgear appears to be blocking email coming in to my exchange server. I am able to send but not receive.

    This all worked just fine with the SMC 8014, but that device does not support higher speeds. Comcast replaced it with the Netgear, now I can not receive email.

    One strange thing is that occasionally, during a reset of the netgear box, email does come thru.

    • Bob Jackson April 13, 2015 at 9:04 pm

      Sounds like there are several problems & issues here:
      1 – DCHP server conflict, although inbound e-mail works without the firewall.
      2 – Firewall fixes DHCP server conflict but blocks inbound e-mail.

      Generally you’d want your own router/firewall between the Comcast Business gateway (CG3000DCR) and the Small Business Server (SBS). The router/firewall is the often DCHP server and the LAN default gateway (a.k.a. Internet gateway).

      For problem #1 I believe the SBS is rolling over to the CG3000DCR as the DHCP server (since the DHCP server is often the same as the LAN default gateway) when the SBS DHCP is down. The Comcast DHCP server responding to your SBS may not be the CG3000DCR (since it’s DHCP is disabled) but a DHCP server higher up in the Comcast network. However you can only “see” the IPV6 address of the CG3000DCR so it appears it’s internal DCHP server is responding.

      When you installed the Zywall firewall/router per item #2 above that solved the WAN/LAN isolation, LAN default gateway and conflicting DHCP server issues but it now blocks inbound e-mail. I think the e-mail problem is due to a firewall configuration issue.

      The best approach is to leave the firewall in the network and if you can’t or don’t want to run the SBS on a LAN private IP address with a NAT or VPN for remote access, configure a DMZ with the SBS on a Comcast public static IP address. Zywall tech support should be able to help you with the DMZ setup and debugging the inbound e-mail blocking.

      Let me know what solves the problem.


  56. Mark July 19, 2015 at 4:11 pm

    Hi Bob,

    I am using ATT Uverse at home and Comcast business at work. I am also running SBS 2011 at work. I have the static IP “gateway” address assigned to the WAN of the Comcast modem. I have another useable static IP address from Comcast that I am not using since my set up prior to changing to Comcast did not require it. Internally I have my LAN gateway set up as (not

    Here is my problem. I can RDP in from home but I have persistent reconnect issues, often every minute or two. Have you heard about this being an issues with Comcast business modems? Would your setup regarding the bridge configuration with a second modem remedy this situation as well?

    Thanks Bob.


    • Bob Jackson July 20, 2015 at 6:36 pm

      I’ve not tried running RDP through the Comcast Business Gateway. See the “Remote Desktop Connection constantly disconnects every 4 minutes” on the Comcast Business Forum for RDP troubleshooting suggestions.

      • Mark July 22, 2015 at 9:13 am

        Thanks Bob.

        I had an agent tell me that the Comcast modems can be troublesome when using RDP and/or VPN. Again, when RDPing to the office my connection hangs constantly and sometime discounts altogether although after about 30 seconds it will reconnect only to hang again.

        Thus far, Comcast has not offered to replace the modem.

        To “by-pass” the Comcast modem at the office, the agent suggested getting a second modem and create a bridge.

        Would you agree with this? If so would this be how to do it?

        1) Assign the static IP to the new modem and put the Comcast modem in “bridge” status.
        2) Connect the 2 modems by the WAN ports.
        3) I am using as the internal LAN gateway and not Should this matter? Also, should there be a LAN IP for both modems?
        4) I currently have several necessary open/forwarded ports on my Comcast modem. Would I keep this open on the Comcast modem or open them on the new modem?

        Please let me know of any other configuration steps that I am missing.

        Thanks in advance.


        • Bob Jackson July 23, 2015 at 8:36 pm

          You can buy and “Use your own cable modem with Comcast Business Internet service“. See the link for details and list of approved cable modems. However the article states:

          “In certain circumstances, you will be required to use Comcast equipment: If you require a static IP for your account [emphasis added], you will need a Comcast-supplied IP Gateway device. Please read Comcast Business IP Gateway and Static IP overview for more information.”

          So I don’t agree with the agent’s advice and don’t know how you’d do that. The ISP (Comcast) controls the cable modem WAN IP address assignment, whether DHCP (dynamic IP) or static IP.

          Standard cable modems operate in bridge mode by default but require a DHCP address per Comcast’s policy. The Comcast Business Gateway is required for static IP’s because it’s a cable modem/router combination by which Comcast implements RIPv2 for your static subnet routing and security.

          What I would do is:
          * Make a network diagram with all IP address assignments.

          * “I am using as the internal LAN gateway and not” That looks like a typo. Shouldn’t it be for the Comcast Gateway IP address? I’m not logged into the gateway at the moment to verify the subnet can be modified. I’d also setup the LAN subnet on your router in a 192.168.x.x or 172.16.x.x range. Makes it stand out better when reading diagrams or reviewing packet captures.

          * Configure bridge mode as explained in the article. i.e. Don’t setup port forwarding on the Comcast Gateway, etc.

          * Manage all routing and firewall features on your router where you have full control, visibility and manufacturer documentation.

          * Start with the simplest configuration possible to get RDP working.

          I noticed this older comment by Luke about setting up RDP but he wasn’t using a static IP address.

          Let me know if you’re successful.


  57. Mark July 19, 2015 at 4:14 pm


    Let me also say that when I call a Comcast agent they see severe issues with the SNR (?) levels. It as been apparent to all 4 of the agents I spoke to. Their technicians, including a supervisor, that have made site visits insist that the agents do not fully understand what they are talking about and that the SNR levels will not impact my RDP connection. Thoughts?

    • Bob Jackson July 20, 2015 at 7:01 pm

      The Signal to Noise Ratio (SNR) is a measure of the signal clarity at your modem and separately at the cable company’s headend. I’d believe the field technicians over the call center agents because the field techs are very knowledgeable on this topic. A too low SNR value means noise levels are interfering with the signal; imagine trying to have a conversation (the signal) next a busy highway (lot’s of noise). A extremely high SNR can be thought of as turning up the volume on your stereo until the sound becomes distorted. My guess is the SNR is on the high side but should still be fine per the field techs advice.

      Run a Speed Test ( to check your Comcast Internet performance. If the results are within the advertised range for your service tier I doubt SNR levels are the problem.

  58. Zo September 25, 2015 at 1:02 pm

    Good evening Bob.
    I have one problem which could be closely related to written above. I am not expert in Wi Fi so I would appreciate if you can give me some info about how to resolve this.I have two routers running DDWRT firmware (after market firmware) and I have one Internet modem with DHCP. I will need to daisy chain the two routers together. The Internet modem gateway ip address is for local pan that plugs into the wan port of router 1.

    One router should hold all data from POS devices attached to. The other router will just be free Internet access for the shop. Knowing this information how would you setup the system and what network IP’s would go where on each interface. I have I Pad (, Access point ( ) and two printers ( with their IP’s) that need to be attached.

    If this is too much, no problem, just ignore my msg.

    Thank you in advance and best regards

  59. Zo September 25, 2015 at 10:23 pm

    Thank you Bob very much.I will try to find out solution with those tutorials.

    Best regards

  60. Zo September 25, 2015 at 10:35 pm

    Yes, I have tried to connect two routers via LAN ports.Modem is connected in first router at WAN port. I disabled DHCP at second router. IP that first router is getting from modem is Manually I configured second router IP within the range of first one. ( Than i connected printer 1 ( and printer 2 ( to the router 2. I left subnet mask for each ( i do not know should I change subnet mask to be different for each device attached to second router – for example printer 1 subnet mask Also I do not know if I should connect Ipad at first or second router. DNS and gateway for all devices at second router is
    Now, first router should for as Wi Fi AP for me, but I have separated AP to wide range of Wi Fi. IP of that AP is I do not know should I connect it to first router and how (LAN port or WAN). Maybe I do not have enough knowledge, but I can say that I am not totally stupid for that.

    Thank you

    • Bob Jackson September 28, 2015 at 9:46 pm

      The connection diagram is:
      Cable Modem — [WAN port] WiFi Router [LAN port] — [LAN port] WiFi Access Point

      where the WiFi Access Point is the 2nd WiFi router you’re configuring to run in Access Point mode.

      > I disabled DHCP at second router.
      Right – because you want only one DHCP server on the network for this application.

      > IP that first router is getting from modem is
      > Manually I configured second router IP within the range of first one.
      That’s correct. The Access Point IP address must be in the same subnet as the 1st WiFi router, e.g. Assign it the .254 address because it’s outside the 1st router’s DHCP allocation range and will avoid IP address conflicts.

      > Than i connected printer 1 ( and
      > printer 2 ( to the router 2.
      That won’t work because the 192.168.22.x subnet doesn’t match the 1st routers subnet range of 192.168.0.x. The printers should get an IP address via DHCP from the 1st router in the 192.168.0.x subnet. If you want the printers to have a static IP address then configure them with a and address outside of the DHCP range.

      Putting everything in the 1st WiFi routers subnet 192.168.0.x range eliminates double NAT’ing.

      If you’re still struggling with the setup try this tutorial or buy a WiFi Access Point with a built-in Wizard setup GUI. The TP-LINK TL-WA901ND Wireless Access Point is popular and easy to configure.

      You’re welcome,

  61. Jeff R November 14, 2015 at 1:14 pm

    Note: the new Comcast business gateways (Cisco 3939B, Cisco 3941B) have a web interface button to enable/disable bridge mode. DO NOT use this button because it doesn’t work as you would expect. You still have to follow this great article in order to pass your static IP on to a router.

  62. Todd February 17, 2016 at 7:17 pm

    Bob, I’m trying to set up Remote Desktop back into my home office – I’ve done this in the past but now using Comcast Business class service and believe my Comcast modem gateway (CG3000DCR) is blocking the request to get to my Linksys e4200 (LAN wireless router). I don’t have a static IP address with Comcast – they want to charge $19 per month and I’d like to see if I can accomplish this without buying one.

    Previously I used DynDNS to create a hostname that would map back to my dynamic IP address….would then turn on Dynamic DNS on the Linksys router so that if my dynamic IP address changed, the client program on my desktop would update the Linksys router with the new IP address – all I needed was that same host name.

    Someone (think Luke) commented on this thread that he was able to accomplish this but I just didn’t follow exactly what he’s doing and didn’t want to screw up my network. Any thoughts on this? Somehow I need to allow traffic to get through that Comcast gateway but right now it’s blocking everything. Any thoughts? Thanks in advance for your help.

  63. Tim Dickerson October 18, 2016 at 5:35 pm

    Hi Bob

    Tnx for all the good information here. I am wondering if I could enable the bridge mode (sudo type lol) using the latest Cisco DPC3941B business class ‘thing’. With my old ISP (which I still have) I hooked my CAT 6 cable from the Mikrotik router located on the outside of my hanger directly to my Linux box running ClearOS (gw/firewall/server/router) and from there out to my HP GB switch. I let Rise Broadband lease space on my ham radio tower in exchange for free 20×10 internet….w/ 2 static IP’s…all via POE….so I just am hardwired right to the box outside.

    With this new Comcrap modem/router/gw, I was told I cannot disable most of the Cisco functions it has, put it in bridge mode (any kind) and assign my ClearOS box a static IP (I have 5 from Comcast) and then use the other NIC for my LAN 192.168.0.x then out to my switch. I don’t need the 5 statics…just one actually.

    I was also informed on /r/voip that it IS possible as others are doing it. Perhaps I need to request a modem only or other device…my own…if possible? Is sudo bridge mode more like a DMZ option?

    This sudo bridge mode seems to be the possible way to do this. If so, other than disabling certain things within the Cisco box then enabling the Bridge mode, do I need to call them for any reason?

    Tim Dickerson
    ARS N9NU

Comments are closed.