Comcast XFINITY → [Business] Need help with D3 SMC Routing

Hello,

I have Comcast business class with a SMC D3 gateway, and a cisco/linksys ea6500 router connected to it.

Last week, I purchased a Zywall security appliance to help monitor anomalous traffic as we were getting hit with port scans and other attacks. Zyxel told me that the SMC D3 needs to be placed in bridge mode, so that the Zywall will "see the traffic first", and to avoid double NATting.

I called Comcast business class today, and the rep told me that I indeed was double NATted. To resolve the issue, he told me that I needed to order a static IP in order to be able to uncheck the "disable DHCP NAT and DNS settings" on the LAN tab.

Comcast quickly provisioned us with one static IP. I unchecked those two boxes as directed, and was unable to get online and even unable to access 10.1.10.1.

I'm totally confused here. Is it actually possible to place this SMC in bridge mode so that my security appliance sees the traffic?My Cisco/Linksys router has an IP of 192.168.1.1.

If the router's IP was the same as the SMC's (10.1.10.10), wouldn't that indicate a double NAT situation? Would I also have to place my cisco/linksys in bridge mode, too, and allow the Zywall to be the DHCP and NAT serving?

I appreciate any help.

Thank you!

If you do not need a static IP for its intended purpose, do not order one. Cancel it.

Comcast can bridge your device, but if it ever gets replaced or for some reason reset to defaults (troubleshooting, firmware upgrades, glitch with the configuration file, etc) then you'll be experiancing the same pain you are now.

Call 800-COMCAST and request they replace your SMC with a regular modem such as Motorola SB6121, Ubee DDM3513, Arris TM722, etc, etc.

The SMC CPE Comcast uses for business statics cannot be placed in true bridge mode because Comcast uses RIP for static IP routing. This has been documented ad nauseum.

That said, all you have to do is untick two boxes on the SMC (Google is your friend), then put the static on the WAN interface of the ZyWALL.

Correct and the OP only attempted to purchase the static IPs because the incompetent "techs" at Comcast were unable to properly bridge the modem.

Comcast said I was the one who needed to purchase the modem -- meaning they would only provision its MAC address if I was the one who replaced the SMC.

I did untick those two boxes, and I was unable to connect to the SMC and connect to my router, as I posted in the start of my thread.

The incompetent rep told me the static order would take 5-7 days.

It was provisioned two hours later. I followed his suggestion of un-ticking those two boxes, and not only does it not bridge as he suggested, it breaks the entire service.

I did use Google to research this, and I still can't figure it out.

Will I need to place my Cisco/Linksys router on bridge mode? I want the Zywall to see the traffic first and foremost.

I am not able to turn off the firewall on my router. The only option is to disable stateful packet inspection, disable NAT and disable the DHCP server. In effect, is this bridging the router.

Again, you cannot place the SMC in true bridge mode, with or without statics. For bridge mode you need a dumb cable modem. Readily obtainable at Best Buy, Staples, etc.

You can leave DHCP enabled on the SMC. And make sure these two boxes in the Firewall section ARE checked:

Disable Firewall for True Static IP Subnet Only
Disable Gateway Smart Packet Detection

Put the static info on the WAN interface of the ZyWALL. Reboot the SMC and the ZyWALL. Done.

Actually, the SMC can be put into bridged mode, but they don't like to do it, often reset it and it's lost, etc.

Just ask NetFixer

I was also told that, and I purchased an SB6121 (officially you can only use the SB6120 and SB6121 standard modem with business class service) to replace my SMCD3G-CCR. I was able to activate it on-line with no need to have a CSR do it manually. I think that whether or not Comcast will lease an SB612x modem or force the customer to purchase one depends (like most things with Comcast) on the policy of your local franchise.

FWIW, if you are persistent enough in calling business class support, you can find a CSR with the knowledge and courage to put an SMCD3G into true bridge mode (courage, because there is apparently an official policy not to do it). However, I can not recommend that you do that. Comcast appears to have some sort of audit system in place, wherein if a SMCD3G is found in bridge mode, it may be unceremoniously put back into gateway mode with no advance warning to the customer (I was bitten by that policy on several occasions before I replaced my SMCD3G with an SB6121).

I called back tonight, and the rep had no idea what double NAT was.

She told me to call signature support tomorrow and that there would be a charge for their recommendation.

I expected better service from Business Class. Thumbs down on this incident.

BTW, how can I determine if I am indeed double NATted?

Thank you again.

The Comcast business class CSRs are usually pretty good with supporting the SMC gateways in the modes that Comcast prefers that you use them (meaning not in bridge mode). And the business class field techs that I have worked with were generally very knowledgeable about the Comcast HFC infrastructure.

Unfortunately some of the Comcast business class CSRs have been brainwashed by Comcast marketing and management into thinking that using an SMC gateway as a normal static IP router (meaning not using NAT) is called bridge mode, so that can cause problems when they interface with customers who actually understand networking.

Anything other than support for the SMC gateway in one of Comcast's officially supported modes, is going to be a frustrating experience. These are the facts of life when dealing with any class of service below the enterprise class level for any ISP with whom I have worked (and I have had to teach Networking 101 to even some enterprise level support CSRs for some ISPs).Look at the WAN interfaces of each of your serially connected routers/firewalls. If more than one of them have an IP address in the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ranges, then you have cascaded NAT (it would be double NAT if only two of them were in those ranges).

Double NAT if only ONE of them has a private IP, the other would have a public ip.

N + 1 layers of nat where N = number of private "WAN" addresses on NAT Gateways.

Are you calling 1-800-COMCAST [266-2278]?
If you are stop.
There is a BUSINESS CLASS SUPPORT NUMBER you should have been given, if not try 1-800-391-3000 [It may be old] . Calling 1-800-comcast is asking for a headache, they are residential only support and not very good at that. Half they time when they transfer you they just transfer you to residential tier 2, which is still the wrong place. Please call the support number you were given when you signed up, if you cannot find it try my number or call your sales representative and ask them what your correct number is. You may have gotten a few wallet cards with the welcome kit if you know where it is with the correct number on them as well.

As a Network Engineer double NAT has been such a pain in the back side.. I cant wait to get IPv6 out in the field so we never have to deal with that mess again ..

First time I had to deal with double NAT is Checkpoint VPN and a home user, the old Checkpoint VPN's didnt allow the packets to get changed more then once. So the VPN tunnel would get dropped and flagged as a hacker. Oh and SIP back in the day, this is making my head hurt just thinking about it.

Yep, I have run into those same problems, but OTOH, not all VPN or SIP/RTP implementations are NAT hostile. I have had no problems with Cisco's VPN or with VoIP from either AT&T CallVantage or Vonage even when going through cascaded NAT.

Also IPv6 comes with its own set of new anomalies. I found that domain/host name blocking both in several different routers, and with the Dyn InternetGuide cloud hosted service tended to not always block access if the hostname had both A and AAAA records. I had to move my domain/host name blocking to a local DNS server in order to eliminate the IPv6 backdoor paths.