New Comcast Business Gateway/Router Blocking VoIP

T

techyguy717

Member
Reaction score
1
After troubleshooting a newly installed Comcast Internet, for small business, Comcast said that it sounds like they installed a bad Gateway/Router. They are replacing.

Issue: Port Overlap Error, every time I configure more that 1 I.P. address, in Port Forwarding.

(Comcast/Netgear # CG3000DCR All-in-One Gateway/Router)
The Comcast Router Firewall is blocking the needed ports for 3rd Party VoIP Phone System

- No way to disable Firewall
- Bypassing Comcast (providing our own router) requires $15/month Static I.P.
- DMZ allows only 1 I.P.
- Static I.P. section only works with Comcast provided Static I.P. for monthly cost.

Question:
Is there a chance this could be a Comcast/Firmware limitation. In this case, what would you do? Shouldn't I be able to configure the same port range for multiple I.P. addresses?

Example:
Application1) 5050 - 5050 Public and 5050 - 5050 Private / UDP. / I.P.10.2.10.5
Application2) 5050 - 5050 Public and 5050 - 5050 Private / UDP. / I.P.10.2.10.6
 
One of the several reasons to tell clients to get a full static IP business account.
Get them to upgrade. Paying you 1.5x more hours to troubleshoot this will be more expensive than the next years increase in costs from Comcast of getting a static IP account.

You cannot port forward the same ports from the same external alias to multiple internal IPs....such as in your example. Port forwarding goes either HERE...or THERE...cannot do both.

Going with a single static IP account from Comcast yields you 2x usable public IPs. The first...goes to your firewall. The second...is the modem itself (which is the gateway for your firewall). So you end up with 2x public IPs that you can do your port forwarding on...and you can get your multiple ports done that way if your phone system has 2x cards to get to (since they'll have different internal IPs).
 
VoIP using a residential account? Asking for trouble. You should be able to turn off WAN DHCP and then use your own router. But for $15/month the EU will probably spend 10 times that every month with you coming over to fix things.
 
This is a Comcast Business Account. Comcast installed a Gateway/Router.

Everything is working great including except it is blocking the port needed for VOIP.

Their has to be a way to open 1 port for the entire network. It seems like it should be simple enough.

Example: Open port 5050 for everyone.
 
More information (and a bunch of clarity) is needed here.
Does your customer use a hosted VOIP solution?
Or....
Does your customer have their own PBX? Are they using a SIP trunk or a PRI....or are they using an FXO/FXS card?

Are you talking about forwarding a port when you really should be saying you are trying to not block natted traffic on a port?

Looking at this thread is confusing.
 
I have only ever worked with those CG3000DCR once. The EU was looking at using that account for accessing Ubiquity IP cameras. They did have a fixed IP address and after trouble shooting determined that there was a problem with the Comcast router as it was not port forwarding properly.

Personally I have never heard of a ISP doing any port blocking for traffic for a business account. I've setup several networks using Comcast and VoIP. Both self hosted VoIP servers as well as third party service providers and have never had any port blocking issues.

If you have not already done so you should escalate this to T2 support as it sound like something is wrong with the Comcast device.
 
They are using 3rd party hosted VoIP. Comcast is replacing their gateway. I believe I mentioned this, but apologize for any confusion.

I now remember port forwarding cannot be used on multiple I.P. addresses.
The reason I asked is because when port 5050 "example", was forwarded on one I.P. address of an assigned VoIP phone, the phone was no longer blocked and worked perfectly. When I deleted the port forward of 5050 from the firewall, the phone was blocked again.

I hope this is a defective Comcast unit. Because if it's not, I will have to recommend a $15/month static I.P. address and additional firewall, even though it's only the VoIP phones that are being blocked, at the new location. All other network services are working great.

BTW: Phones are working at different location.
 
You should be able to port forward a range of IP's. Then set the phones to static and setup DHCP with the phone IP range reserved.
 
Ever log into the old SMC gateways that Comcast uses?
You'll see the same interface that you do with those new Netgear routers.
However, that' is not the original management console provided by Netgear on those.
Comcast has replaced the management console on the Netgear with that of their own. Apparently, the SIP ALG they use in the Netgear breaks SIP, and can not be disabled using their management console.

Call Comcast, tell them you want an SMC SMCD3G-CCR gateway.

techyguy717 said:
They are using 3rd party hosted VoIP. Comcast is replacing their gateway. I believe I mentioned this, but apologize for any confusion.

I now remember port forwarding cannot be used on multiple I.P. addresses.
The reason I asked is because when port 5050 "example", was forwarded on one I.P. address of an assigned VoIP phone, the phone was no longer blocked and worked perfectly. When I deleted the port forward of 5050 from the firewall, the phone was blocked again.

I hope this is a defective Comcast unit. Because if it's not, I will have to recommend a $15/month static I.P. address and additional firewall, even though it's only the VoIP phones that are being blocked, at the new location. All other network services are working great.

BTW: Phones are working at different location.
Click to expand...
 
on systems like 3cx you have to assign a new port for every phone extension, so each phone will get a different port to use to connect to the pbx remotely, maybe this is what you need?
 
markverhyden said:
You should be able to port forward a range of IP's. Then set the phones to static and setup DHCP with the phone IP range reserved.
Click to expand...

No, you can't port "forward" a range of IPs. One port forward from the public IP address corresponds to one port on the private IP on the lan. You can do port "triggering", which is similar...it'll usually (almost always) have a range of Ip addresses included in the trigger. When a specified outbound port is used, a specified inbound port is opened for the device. Unfortunately, that wouldn't work because if one device triggers the port to forward to it, the others would lose their forward and stop working.


Without seeing the options available, it just sounds like an exception needs to be made in the firewall for the ports needed. I've never dealt with comcast, but I've never seen a device that can't have firewall exceptions made in some way.
 
14049752 said:
No, you can't port "forward" a range of IPs. One port forward from the public IP address corresponds to one port on the private IP on the lan. You can do port "triggering", which is similar...it'll usually (almost always) have a range of Ip addresses included in the trigger. When a specified outbound port is used, a specified inbound port is opened for the device. Unfortunately, that wouldn't work because if one device triggers the port to forward to it, the others would lose their forward and stop working.


Without seeing the options available, it just sounds like an exception needs to be made in the firewall for the ports needed. I've never dealt with comcast, but I've never seen a device that can't have firewall exceptions made in some way.
Click to expand...

Yep, I had an ID ten T moment there and switched fields. The port range forwarding is a range of ports to one IP. Port triggering, at least on the WRT600N, is simply pointing one range of ports to a different range of port - 5000-5100 to 6000-6100 with no IP consideration.

SAG pointed out that there may be some undocumented packet mangling going on as well. I had a business, that was self hosting the VoIP server, where I recommended and setup a pair of Fortinet FortiWiFi 60C for point to point between two sites so the second site could use the VoIP server on the primary site. What a nightmare that was. Turns out it was a square peg and a round hole between Fortinet and Nextiva. There was some kind of packet mangling going on and nothing could be done to resolve the issue. I ended up just getting a couple of Cisco RV's, forgot which model, at less than 1/3 the cost and had absolutely no problems.

And I second SAG's suggestion about having Comcast ship you the D3G.
 
Problem was solved.

Comcast switched out the CG3000DCR Gateway for a different model.

I can't believe it's not illegal for Comcast business to block high quality 3rd party VoIP providers. Comcast's VoIP solution doesn't even have all the features that this business needed. The CG3000DCR, with their proprietary blocking firmware, is the new business gateway they have been using since at least March and many people are complaining about this. They are essentially causing businesses into thinking the VoIP provider is the problem, so they can sell their lower quality VoIP package.

Warning: Their Business Support doesn't admit that this model causes VoIP problems, even though it has been reported to Comcast many times over the last few months.
 
Last edited:
SAG said:
Thanks, after the day I've had I need them.

Got a Dell T420 with RAID5 data drive that can't read/write to the array faster than 65Mb/s
:(
Click to expand...

Getting any data corruption? Getting this error at boot?

Code: 
Unresolved configuration mismatch between disks(s) and NVRAM
 
markverhyden said:
Getting any data corruption? Getting this error at boot?

Code: 
Unresolved configuration mismatch between disks(s) and NVRAM
Click to expand...

No corruption that I have seen. No errors at boot.
My fear is a bad PERC (H310).
Got a load up driver/firmware updates from Dell support to install once everyone is out of the system tonight.

Anyhow... fun fun fun - don't want to derail this thread.
 
Yup sounds like some firmware flashing is on your plate tonight. Have fun. H310 ain't a ball of fire ....do a Google search on its issues...lotta people ain't diggin' it.

What drives are slung off it?
 
YeOldeStonecat said:
Yup sounds like some firmware flashing is on your plate tonight. Have fun. H310 ain't a ball of fire ....do a Google search on its issues...lotta people ain't diggin' it.

What drives are slung off it?
Click to expand...
3 600GB Dell-branded 15K SAS (likely Seagate).

I would have assumed a better performance from this thing though.
 
You must log in or register to reply here.

Similar threads

HCHTech
Comcast Business Service - What am I looking at?
Replies
4
Views
1K
Markverhyden
Markverhyden
HCHTech
And you thought Comcast couldn't get any worse
Replies
10
Views
3K
Sky-Knight
Sky-Knight
HCHTech
Comcast does it again
Replies
8
Views
2K
brandonkick
B
HCHTech
WAN Failover musings
Replies
11
Views
3K
Sky-Knight
Sky-Knight
HCHTech
Beating my head against the Verizon wall again
Replies
3
Views
1K
HCHTech
HCHTech
Back
Top