Comcast XFINITY → [Connectivity] SMC router and Airport Express - port forwarding

I'm working on a job right now - my first time dealing with Comcast Business Class routers.

We have one of these SMC routers sitting behind an airport express, and I'm trying to forward some ports from the outside, in.

The airport is issuing 10.0.1.x IPs, and the comcast router is issuing 10.1.10.x IPs. As a result, I can't forward any port to the internal IPs on the Comcast router, as it's not in its own range.

How do I either change the range, or turn off the NAT firewall entirely (the option only lets me turn it off for IPs within the issued range)? I'd prefer not to mess with the airport if possible as it's a high availability business and most of their computers are working fine right now and would need to renew their IPs if I changed it there.

Thoughts?

First, the Airport should be behind the SMC, not in front of it (not sure how that's possible as I've never seen an airport with a cable DOCSIS modem in it)

Second, if you don't have a static IP, you need to set the Airport WAN to an internal static inside the range from the SMC. Put that IP into the DMZ on the SMC, then do your port forwarding from the airport. Not idea, but it will work fine.

I got out to the site today - I turned the Airport into bridged mode, which isn't ideal as it drops the public wifi functionality, and let it get an IP from the comcast modem.

Unfortunately, I still couldn't get port forwarding to work fully - some went through fine - others didn't.

I've advised them to ask Comcast to replace the router with a simple modem, then the airport can handle all DHCP / NAT firewall stuff - to my mind thats a damn site simpler!

If some were working, and others not, there is something wrong in your config, not the SMC. Setting it up like I described will work fine.

Do you have a static IP(s) from Comcast or are you using Dynamic?

My bad - the SMC is the modem / router - the Airport is behind it.

We were unable to get port forwarding working, as the machines in the network were double NAT'd - and the SMC router wouldn't let me forward to IPs not in it's own range. The Airport wouldn't let me issue IPs in that range.

So temporarily we've set the Airport as a bridge device (losing the public wifi functionality) and the business owner is calling Comcast to request a modem, instead of the SMC modem/router - we'd much prefer to handle the DHCP and internal network stuff from the Airport.

Why not bridge the modem? Have the static IP set within a router that can operate RIP routes; otherwise, they will not send out anything else other than an SMC for static IP's... I believe AE's do not have the functionality to perform RIP correct? You might need a more business class router like a business netgear/cisco/dlink to handle the static IP's correctly.

They will offer him static IPs instead, since he needs them to run services anyway. If he already HAS static IPs then you are not configuring the SMC correctly. You should put it in True Static mode, basically it just routes the static IP(s) from WAN to LAN for you. The airport or some other more robust router then can sit behind it and do NAT/DCHP/Firewall/DMZ etc with the assigned static IP(s) - No double NAT or other shenanigans needed.

The Admin interface will still be at 10.1.10.1 after you put it into the true static mode (basically just disable firewall/smart packet detection/LAN dhcp in the smc) - if your real router has fits getting to 10.1.10.1, just jack into the SMC's LAN side with a laptop and hardcode a 10.1.10.x static IP with 10.1 as the gateway to make any changes... but no changes should ever be needed once its done, it's just a dumb router now...

This is simple to do, it took me about 2 minutes to set up with my SMC after the tech installed it.