This tutorial explains how to configure a Comcast Business Class static IP address to enable remote access to network clients from the Internet. The Comcast Business IP Gateway (SMC8014 or NETGEAR CG3000DCR) is configured for pseudo bridge mode by disabling the normal routing, firewall, NAT and DHCP functions. The Internet-routable static IP address is assigned the Linksys WiFi router WAN interface for remote Internet access to LAN clients.
I was helping a small business setup IP network cameras with the Comcast Business Class cable modem service but ran into a problem with Internet remote access: the DDNS agent in the Linksys WiFi router was showing a 10.1.10.10 (“10 space”) non-Internet routable private IP address. I logged into the Dyn Remote Access account saw the 10.1.10.10 private IP address listed in the Host Services table.
The problem is the Comcast IP Gateway operates in Router Mode and assigns a 10.1.10.x private IP address to the Linksys router WAN interface. My first thought was to request a standard cable modem which operates in Bridge Mode, however Comcast Business does not support static IP addresses on standard cable modems and you must use their Business IP gateway (cable modem/router combo) to get an Internet routable static IP address.
Comcast Business Class Internet will install a NETGEAR CG3000DCR IP Gateway which is a cable modem and router combo that runs a custom firmware load by Comcast. (We originally had an SMC8014 gateway which Comcast replaced with a NETGEAR CG3000DCR when the SMC8014 failed). The Comcast IP Gateway does not support true Bridge Mode as compared to a basic cable modem nor does it provide a simple user menu option to select the “bridge mode | router mode” working mode like some gateways. Remote Internet access to the LAN network clients requires subscribing to Comcast’s Static IP Service and disabling the various Comcast IP Gateway firewall, NAT and DHCP features for the routed equivalent known as “pseudo-bridge mode”. Comcast Customer Support will remotely reconfigure the gateway for you upon request when the Static IP address is activated.
After configuring pseudo-bridge mode the DDNS agent in the Linksys router can now update the Dyn Remote Access service with the Internet routable WAN IP address. Remote Internet access now works with an easy to remember DDNS host name and port forwarding, e.g. https://myhost.homedns.org:443 or the just static IP address, e.g. https://173.xxx.yy.185:443 where the “:443” is the port number to be forwarded by the Linksys router to a particular LAN client.
I called Comcast and subscribed to one (1) static IP address service because a single IP address assigned to the Linksys WRT54GS WiFi router WAN interface would do the job. The sales person said a confirmation e-mail would be sent with the new static IP in 3 to 5 business days. Several days later, an e-mail confirmation arrived with the new IP address, gateway IP, subnet mask, DNS server IPs and instructions to call Comcast Tech Support’s toll free number to active the static IP service. The e-mail was brief and to the point:
Dear Customer, Below is the Static IP information for Account # xxxxxxxxxxxxxx
Static 173.xxx.yy.185 (Static IP address for my Linksys router) Gateway 173.xxx.yy.186 (Static IP address of the CG3000DCR or SMC8014 gateway) Subnet Mask: 255.255.255.252
Primary DNS: 68.87.68.162 Secondary DNS 68.87.74.162
Note: Static IP's will not be active/available until the file is downloaded to your gateway. Please call Tech Support. 800.391.3000 or reply to this email when you want to make the change.
Comcast offers 1, 5 or 13 usable static IP addresses. “Usable” means the quantity of IP addresses that are available for assignment to your devices. IP subnetting rules require that IP addresses are allocated in blocks of certain fixed sizes. To obtain one (1) useable IP address a /30 CIDR block is allocated. (You can skip the following CIDR block details because the essentials are given in Comcast’s e-mail notice above.)
Comcast Business Static IP Block Assignment: One (1) Customer Usable IP Example
Recall that the Network ID and Broadcast IP addresses cannot be assigned your network hosts (LAN devices). Comcast also assigns the highest usable IP address to the Business gateway WAN interface. Therefore 3 IP addresses in any CIDR block are reserved and not customer usable.
If I had purchased 5 usable static IP addresses for a more complex LAN network application then Comcast would allocate /29 CIDR block:
Comcast Business Static IP Block Assignment: Five (5) Customer Useable IPs Example
The Comcast static IP network diagram for one usable IP address with the NETGEAR CG3000DCR is:
I recently had the pleasure of reviewing the Fluke LinkSprinter Network Tester. It automatically tests:
It’s affordable, easy to use and takes the guesswork out of network test and troubleshooting.
Comcast Business Support (800) 391-3000 can remotely configure the IP gateway for the routed equivalent to Bridge Mode, which disables the DHCP, DNS, NAT, firewall, static routing, filtering, etc. functions. This will allow your firewall/router to provide the LAN DHCP, NAT, port forwarding, VPN, etc. functions under your control.
I noticed both the older SMC8014 and newer NETGEAR CG3000DCR both have the same custom firmware designed by Comcast. See the (circa 2006) Comcast Business IP Gateway User Guide for details which doesn’t include the IPv6 menu options in the latest firmware versions.
The NETGEAR CG3000DCR can be configured for pseudo bridge mode by connecting your computer to a LAN port on the gateway and logging in with a web browser:
You’ll be presented with the Comcast Business Gateway Welcome Screen:
Clicking Gateway Summary → Gateway Status displays the Firmware Version, Operating Mode, etc. The Operating Mode will always state “Residential Gateway” as of this writing:
Clicking Gateway Summary → Network will display the Internet and Local network settings. Comcast automatically assigns the highest useable IP address, e.g. 173.xxx.yyy.186, to the Gateway WAN Internet IP Address. Your Static IP Block in CIDR notation (/30) is also displayed:
The pseudo bridge mode configuration settings for the NETGEAR CG3000DCR are as follows with selected screen grabs for the essential settings.
The following steps will configure the CG3000DCR (or the discontinued SMC8014) for pseudo bridge mode by disabling the various Comcast gateway router functions.
NETGEAR CG3000DCR LAN Settings:
Take care to disable the LAN DCHP option last because it will reset/reboot the gateway!
Note: DHCP and DNS services will be configured in the Linksys WRT router.
The NETGEAR CG3000DCR will reboot after DHCP is disabled and the apply button is clicked:
The Comcast provided static IP address, subnet mask and gateway must be configured on the Linksys WRT router to enable Internet access. The configuration is simple by flipping the Internet Connection Type from DHCP to Static IP through these steps:
Static 173.xxx.yy.185 (Static IP address for my Linksys router) Gateway 173.xxx.yy.186 (Static IP address of the CG3000DCR gateway) Subnet Mask: 255.255.255.252
DDNS isn’t necessary with a static IP address but it does provide a way to configure an easy to remember host name to reach simple LAN clients like an IP camera. If you’re setting up a web server for a domain name you’ll want to subscribe to a DNS service and create DNS Zone records for your Comcast Static IP’s.
This next step assumes you have already created a DDNS Account with Dyn Remote Access and have a DDNS host configured.
Navigate to the Setup → DDNS menu in the Linksys WRT WiFi router. Input your DDNS account user name, password and host name. Click Save Settings and check the DDNS update status which should be “DDNS is updated successfully.” The DDNS service will register the Comcast Static IP address 172.xxx.yyy.185.
Port forwarding maps Internet requests from the static IP address to a private LAN IP address to access LAN clients (computers, cameras, etc.) via the DDNS host name and port, e.g. https://myhost.homedns.org:443 or directly with the static WAN IP address of the Linksys router, e.g. https://173.xxx.yyy.185:443. For port forwarding configuration instructions, see this project.
An example port forwarding configuration where unused ports are assigned to the LAN clients to avoid conflicts with other network services:
In the future if you want to log in to the CG3000DCR (or older SMC8014) gateway:
Note that you will not be able to access the CG3000DCR Admin GUI if your computer is plugged directly into a LAN port on the CG3000DCR (or the older SMC8014) when DHCP is disabled on the Comcast IP gateway because your computer won’t receive a DHCP 10.1.10.x IP address. What you need to do is temporarily assign a 10.1.10.x static IP address to your computer. This is only needed if you can’t connect through the Linksys router.
For Windows 7 the computer private static IP configuration steps are:
You can now point your web browser to http://10.1.10.1 to log into the Comcast IP gateway when DHCP is disabled for pseudo-bridge mode and your PC is connected to a gateway Ethernet LAN port. When you’re finished remember to go back and change your IPv4 properties back to select “Obtain an IP address automatically“.
See the Ubiquiti EdgeRouter Lite SOHO Network Design project for a small business or advanced home office network complete with firewall, VLANs, WiFi Access Point and OpenVPN remote access.
