dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
123333

comcast user
@comcast.net

comcast user

Anon

[Business] how to bridge a smc 8014 business class modem

log into modem (10.1.10.1) is the default IP user name - CUSADMIN, password - highspeed

Disable LAN DHCP
Configure the DMZ for your internal router ip (wan IP in this case ie: 10.1.10.xxx), and configure a port forward to the router ip. I also disabled the firewall options.

I also set my router to a static ip just to ensure that I didn't loose my route.
donhoffman
join:2001-02-22
Portland, OR

4 edits

donhoffman

Member

The above is probably ok if you have a dynamic address. However, if you have 1 or more static address, IMHO here is a better way to set it up.


If you are like me with 1 static address, Comcast assigns you an address range with a /30 netmask (aka 255.255.255.252). You really get two addresses, one for the Comcast-provided router (which they don't directly tell you about, but which is implied by the netmasks and can be verified via testing) and one that is transparently sent through that router to a node with your static address. For example, assume I have 173.YYY.XXX.169 as my static address, then the WAN address of the Comcast-provided router will be 173.YYY.XXX.170. It is a common approach to make the router IP address be the highest one in the address range. The node on the static address can be either a server or another router with NAT, etc.


Setup is quite simple.
You need to go to the SMC firewall setting and check "Disable Firewall for True Static IP Subnet Only".
Then set the WAN address of the router you provide to your static address (with the above netmask), connect it to one of the ethernet ports on the Comcast router and you should be good to go. (BTW, if the router you provide does not provide NAT/firewall functionality, you might want to leave the above setting off and go in to the more complex set up under "True Static IP Port Management" and selectivly allow services through.)


Comcast's approach is kind of cool, since if you just use the facilities of the SCM router (i.e., don't stick a second layer of router in there), you can actually use both addresses. In my actual setup, I use the .169 address for my primary server and use the NAT/port-mapping function on the SMC to port forward to other servers (e.g., remote desktop access or services I am testing out). Any box that uses the NAT function will show up on the Internet with the address of the router, not my static server address. (Also note that you will not be able to forward port 80. This is used by the router for management.)

I had originally wanted to do what you do and reuse my existing router. However after moving the VPN functionality off that router to my server (I use OpenVPN) I decided to go for a simplified setup. The SMC router has all the basic functionality needed for a SOHO or SMB router in my opinion. (Its main lack is good bandwidth monitoring or intrusion detection.)


Finally... Strictly speaking neither of our approaches are actually "bridging" as this is a Layer 2 function and we are both suggesting L3/routing techniques. In your example, you are setting up a multi-layer NAT. I my example, we are just using routing as it was intended to be used.

Don
donhoffman

1 edit

donhoffman

Member

One other thing that got me when setting up the SMC... Some of the web forms do not work correctly on Safari. I had to use Firefox to set things up.
jreiter
join:2004-01-29
Longmont, CO

jreiter to comcast user

Member

to comcast user
I just had to call Comcast Biz Support and they made a change on their end and put the modem into some sort of bridge mode to go to my Cisco ASA. Works great.
donhoffman
join:2001-02-22
Portland, OR

2 edits

donhoffman

Member

said by jreiter:

I just had to call Comcast Biz Support and they made a change on their end and put the modem into some sort of bridge mode to go to my Cisco ASA. Works great.
I believe that what they did was log in to your Comcast router and just configured it the way I said. That is certainly easier from your standpoint .

One way to confirm. What did they tell you to use for the default router on the WAN side of your cisco? Is it 1 off from your static address? (or less than 5 if you have 5 static addresses.)

I would be interested in finding out if the SMC 8014 is capable of being a true bridge device (i.e., where forwarding is done based strictly on L2 frames and not on IP address information.) There is clearly no such UI in the customer-visible management interface
jreiter
join:2004-01-29
Longmont, CO

jreiter

Member

Yes it is 1 off on the IP address. I tried to do it on my own first and it would not do it. Now whether or not this part is true or not, I am not sure, but the guy at Comcast said what he was doing to the modem had to be done from their end and that if I even wanted to go back I had to call and have them reverse it. A "reset" on the modem wouldn't reverse that part.
I highly doubt it is doing a true bridge. Because I can plug different devices into it and still get online from the modem, even though it is ahead of the ASA.
wozz007
join:2008-09-09
Greensburg, PA

wozz007 to comcast user

Member

to comcast user
make sure smart packet detection is disabled as well - will cause connectivity issues with specfic URLs or IP address if left on
donhoffman
join:2001-02-22
Portland, OR

donhoffman to jreiter

Member

to jreiter
said by jreiter:

Now whether or not this part is true or not, I am not sure, but the guy at Comcast said what he was doing to the modem had to be done from their end and that if I even wanted to go back I had to call and have them reverse it. A "reset" on the modem wouldn't reverse that part.
Yep, probably set up like mine. I don't think there are ever any usage scenarios were you would ever need to reverse it or go back. I guess they could assign your static IP address as the WAN address of the SMC, but since it already has its own static address you would gain nothing. (Other than they might not be willing to change the reverse DNS on the router static address.) But even if you got rid of your ASA and started to use the SMC as your primary router (as I do), nothing needs to be done.

My installer took it directly out of the box and it was ready to be configured with a True Static route the first time I logged in to it.

So question, has anyone else had an install where they could not follow my suggestion above until they had called Comcast? It could have been that the sales rep passed my desire on to the installers and they did the right thing without asking .
donhoffman

donhoffman to wozz007

Member

to wozz007
said by wozz007:

make sure smart packet detection is disabled as well - will cause connectivity issues with specfic URLs or IP address if left on
I second this. Just solved an issue I was having with MobileMe services.
SirKuz
join:2002-01-29
Saranac, MI

SirKuz to comcast user

Member

to comcast user
We have just had business service installed with this device as well and I have run into one small issue so far.

Have the router setup for DHCP and Nat for all clients with the exception of 1 test server we have.

The test server is configured with 2 networks cards, one is setup for one of the external ips for access to IIS test sites, the other NIC is setup with an internal IP for internal testing purposes.

FTP is running on this server and listens on both interfaces.

FTP client connects to internal IP address:
Upload speed = 100mbps
Download speed = 100mbps

Perfect.

FTP client connects to external IP address:
Upload speed = ~40mbps
Download speed = 100mbps

Download great...upload is being limited somewhere?

Any ideas what in this configuration might be limiting the upload when connecting on the externally assigned IP?

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

DarkLogix

Premium Member

Protocal overhead
I'm guessing that your setup is somthing like this

SMC-SERVER-INTERNAL

and you mean that your testing from inside to the differant IPs

then you have additional latency to the otherside of the server and that might slow it down

to fully test this youd need to use a crossover cable to connect computers directly to each side of the server and run 4 tests
Ext-PC to Ext-nic
Ext-PC to Int-nic
Int-PC to Int-nic
Int-PC to Ext-nic
my guess it that the upload would be like this
100
40
100
40
wozz007
join:2008-09-09
Greensburg, PA

wozz007 to comcast user

Member

to comcast user
i did get some clarification on the SMC device, if you put a modem into bridge modem (LAN DHCP, firewall off) and you are not using a static ip address then unless you are using a DMZ (which is not advised, as your connection will be fully open) then you will not be able to get a IP address to pass through the modem. Thats what tech support said anyway, any ideas on that from anyone.
SirKuz
join:2002-01-29
Saranac, MI

SirKuz to DarkLogix

Member

to DarkLogix
Setup is SMC -> Switch -> all clients

Server has a nic assigned with all external settings and the option for "Disable Firewall for True Static IP Subnet Only" is enabled.

So all other clients are connected just like the server except they don't have static external IPs assigned to them, they are recieving DHCP addresses from the SMC and the SMC is handling the routing duties.

I am not understanding how 60% of the link on uploads would be protocol over head for standard FTP traffic when its going to the externally addressed NIC. Shouldn't the router handle this traffic fairly easily and it be 100mbps both up and down to that FTP?

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

DarkLogix

Premium Member

In some nic tests I've done the nics just couldn't do more than 50mbps
its odd and kind of funny but cheap Broadcom/Marvel/Linksys are just crap and don't work well with high bandwidth

the only nics I've found that could reach 80-90% Theoretical are intel pro nics(really good offloading)

and then with intel pro/100's I've only gotten 40% over IPv6

Basicly you need to test if that server can do up and down on both nics

test what each nic can do all by itsself
SirKuz
join:2002-01-29
Saranac, MI

SirKuz

Member

I did test that fairly early on with the nics. I basically just flip flopped their assigned addresses to see how they reacted and whatever nic was assigned the external ip I could only upload to at ~40mbps. Very strange...

JDCynical
Always Mount A Scratch Monkey
join:2002-01-09
Beaverton, OR

JDCynical

Member

said by SirKuz:

I did test that fairly early on with the nics. I basically just flip flopped their assigned addresses to see how they reacted and whatever nic was assigned the external ip I could only upload to at ~40mbps. Very strange...
Wild guess...

FTP to one of your servers via a comcast assigned IP - upload speeds capped

FTP to one of your servers via an internal IP behind the SMC - full speed both directions

On Comcast's network, IIRC, the modem is what sets the speed of the connection (modem uncapping scripts anyone?).

I would hazard a guess that the modem isn't smart enough to realize that the traffic isn't leaving your subnet and is capping the upload speed as it would if someone from outside your subnet had accessed the FTP.
donhoffman
join:2001-02-22
Portland, OR

4 edits

donhoffman to SirKuz

Member

to SirKuz
SirKuz,

I guess you are more or less seeing results like I would expect.

Here is a long and pedantic explanation as to what is going on.

As you mention, your clients are using the SMC-assigned DHCP address. Lets call that 192.168.1.X/255.255.255.0 for the purpose of discussion. In addition to their IP address, all clients are assigned a default router by the DHCP server. The SMC would set it to its address on the internal network. Lets assume that the default router address is 192.168.1.254. One of the interfaces of your sever is on that network also. Lets assume it has an address of 192.168.1.10.

In addition, you have assigned the second interface of the server to the external static address. Lets call that 173.XXX.YYY.170.

So, a client (lets call it 192.168.1.155) sends a ftp packet to 192.168.1.10. The client knows that its ethernet interface is on the 192.168.1.0 network; the same network as 192.168.1.10. In that case, the packet goes directly over the switch to the server. The router never sees it. On the way back, the server has a packet to 192.168.1.155. It notices that one of its interfaces is on the same network (again 192.168.1.0) and sends it out that ethernet interface to that 192.168.1.155. Again the packet goes through the switch. With both directions via the switch you should see application level thoughput up to maybe 80Mbps. This is in line with what you see.

Now lets look at the case where the client sends to the external address of the server (173.XXX.YYY.170). The client notices that the destination address is NOT on the same network as its ethernet interface. Ok, so it looks at its routing tables and finds a wildcard default entry (put there by DHCP) that points to the router. So off the packet goes to the router.

Now is where things get slowed down. A cheap router like the SMC is orders of magnatude slower than even the cheapest of switches (including the one that is built in for the 4 integrated ethernet ports). So rather than taking microseconds (or less) to process the packet in hardware, it is taking a handful or so of milliseconds to process the packet in software running on a cheap embedded processor. This is not much, but is enough to limit the bandwidth/delay product of the TCP connection to only allow it to pump through 40-50Mbps. (Google on "bandwidth delay product TCP" to understand why in more detail.) The exact maximum throughput can be computed if you know the latency, but you have experimentally determined that it is 40Mbps . (There could be other limiting factors, but I believe that latency is the one which dominates here.)

Now, the router recognizes that 173.XXX.YYY.170 is on its internal interface and sends the packet back out that interface to the server's external address. When it comes time to respond to that packet, the server sees that the original source address is 192.168.1.155 . As in a couple of paragraphs back, it now sends it out on its internal interface (192.168.1.10) directly to the client. This packet does not go through the router, so it goes quickly, and can get much higher throughput. This whole process is what is known as an asymmetric route. Perfectly correct if sometimes a bit confusing.

(Just a side note. Since the packet was both sent and received on the same interface of the router, it does not get NATed by the router. Some routers might NAT the packet, so in that case both directions would go through the router and both direction would be slow if sent via the external address)

A solution to this is easy if you run your own DNS servers like I do. You set up the DNS in what is called a "split" configuration. When an internal client looks up ftp.mydomain.com it gets the internal address of 192.168.1.10. When an outside client looks up ftp.mydomain.com it gets the external address of 173.xxx.yyy.170.

One more thing. It is unlikely that the SMC router is doing any bandwidth management on internal transit packets (aka capping). Normally things like token buckets are done on the outgoing WAN interface, which is relatively slow. Bandwidth management on a 100Mbps ethernet interface would be out of the price range for this device IMHO. (And would be of little use anyway.) I believe the throughput drop when going through the router is almost entirely due to bandwidth*delay issues.
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

lorennerol

Premium Member

Great post.

Excellent explanation of why you're better off to get your own router, and a network switch to place inside the router: Rely on the SMC junk as little as possible.
donhoffman
join:2001-02-22
Portland, OR

1 edit

donhoffman

Member

said by lorennerol:

Great post.

Excellent explanation of why you're better off to get your own router, and a network switch to place inside the router: Rely on the SMC junk as little as possible.
Well, you need to go to quite a bit higher price point to get something much better than the SMC, which is effectively "free". (e.g., the really low end Cisco routers have a similar architecture) I find the SMC quite adequate for my purposes. You just need to set it up right and understand the usage scenarios.
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

lorennerol

Premium Member

said by donhoffman:

said by lorennerol:

Great post.

Excellent explanation of why you're better off to get your own router, and a network switch to place inside the router: Rely on the SMC junk as little as possible.
Well, you need to go to quite a bit higher price point to get something much better than the SMC, which is effectively "free". (e.g., the really low end Cisco routers have a similar architecture) I find the SMC quite adequate for my purposes. You just need to set it up right and understand the usage scenarios.
My issue is that I am required to depend on this hunk of junk: There is no other option with Comcast Biz service if you need static IPs. Good ISPs don't require their customers to use home-grade hardware for business purposes.
donhoffman
join:2001-02-22
Portland, OR

donhoffman

Member

said by lorennerol:

My issue is that I am required to depend on this hunk of junk: There is no other option with Comcast Biz service if you need static IPs. Good ISPs don't require their customers to use home-grade hardware for business purposes.
Fair enough. But in fact, I expect the other providers to go the direction of Comcast in the long run. Margin pressures in a slow economy will tend to force this for SMB and SOHO installation, along with the general consumerization of business IT technology (e.g. ref the iPhone). All just unsupported gut feel though.. (Although the gut has been in the industry for 28 years.)
dgregait
join:2007-08-01
Plano, IL

dgregait

Member

Good morning to all,

We have just gotten comcast Biz internet installed.

First off, we have a AT&T DSL. We got the comast as a failover redundancy.

We have a 'firewall' device. This is a PC with 3 NIC's, it is running a linux firewall software. 1 NIC is set to the internal network, 1 NIC is set for the AT&T DSL address (static), the 3rd NIC was put in to work with the Comcast we had ordered. This firewall works great (and has for 4 months) with the AT&T DSL device and our static IP's.

The Comcast has been installed and we have 5 static IP's assigned. The Comcast tech's have said that what we what to do cannot be done with their network.

Basically we want to get the comcast router to pass traffic directly to our firewall device. we have tried NAT'ing, double NAT'ing, port forwarding. Nothing works as it should.

At one point last night we where able to get port 80, and only port 80, to forward to the internal system.

It has been a long night messing with this, so i am sure I missed something. Any thoughts or idea's would be a great help.

We even went as far as looking at buying our own modem to replace the comcast one. but have been told that this would not allow us to use our static IP's that have been assigned. This sounds a little off as well. One would think the static IP's were bound to the MAC address of the router/modem.
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

lorennerol

Premium Member

I have the SMC gateway passing my usable IPs to my router, where I'm doing 1:1 (aka 'Full') NAT. I don't know anything about your Linux router, but what you want to do can be done with the Comcast biz service and the SMC gateway.

FYI, what most people call NAT is actually PAT, port address translation, where a single port is routed to a single port on an internal IP. True NAT maps an public IP to an internal IP and the open ports are controlled by firewall settings.

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

DarkLogix to dgregait

Premium Member

to dgregait
The SMC is a modem/router
and the way it can be used is
as a router (I use mine without nat or pat just let it router between the cable network and the 5 IP net)

you should first test it
connect a computer to it and assign one of the 5 public IP you were issued

there is a 6th IP in that subnet most likely 1 higher that your highest IP issued you use that IP as your default gateway

ie
you have z.y.x.1~5 with a subnetmask of 255.255.255.248

also turn off the DHCP server builtinto the SMC

this will put your 5 IP's on the linux box (I'd suggest only using 4 and leave the last one for testing)

you might need to call Comcast to be sure that they have the CMTS set right (I had to)
DarkLogix

DarkLogix to lorennerol

Premium Member

to lorennerol
there is a differance between True NAT and actualy routing

PAT (Port address translation)(use 1 ip for many hosts)
NAT (Network address translation)(use one ip per host with the hosts using a Private IP so that the IP the world sees isn't the IP on the host)

actualy routing the IP is assigned to the host and no NAT translations take place
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

lorennerol

Premium Member

said by DarkLogix:

there is a differance between True NAT and actualy routing

PAT (Port address translation)(use 1 ip for many hosts)
NAT (Network address translation)(use one ip per host with the hosts using a Private IP so that the IP the world sees isn't the IP on the host)

actualy routing the IP is assigned to the host and no NAT translations take place
Well said.