VPN behind comcast SMC box

[TAPtech]

I have a client with Comcast business internet service. They supply a gateway/router combo box. Unfortunately it cannot be configured in bridge mode, and Comcast tech support will not enable it (if it would even work). Thanks, Comcast.

Basically they want to sell you the $15/mo static IP. That's fine and all, but this client doesn't need a static IP. I want to setup a basic VPN using their existing router, but can't seem to get through the Comcast box. Double NAT and all that good stuff.

Anyone have experience with these things?

 

[fergeeks]

Is a customer owned modem out of the question?

 

[TAPtech]

No, and I think that might be my standard response to clients with Comcast from now on. I'm really not too impressed with Comcast.

I think it's a bit silly for them to limit business customers in this way. I totally get it for residential, but the business clients use these sort of technologies all the time. What a pain.

 

[fergeeks]

My day job is a low voltage technician and the majority of what I do day to day is install surveillance systems in homes and businesses.
I can typically forward the ports in a standard router in a couple of minutes for remote access to the camera system BUT not if the business has a SMC modem/router from Charter Cable.
The GUI page is locked if the customer has routing enabled and to forward the ports one must wait on hold with Charter Business and hope the operator knows how to forward the ports correctly.
If all goes well forwarding the ports on the SMC modems takes me around 20 minutes but have had it take over an hour due to the incompetence of the charter rep.

 

[Markverhyden]

I have a client with Comcast business internet service. They supply a gateway/router combo box. Unfortunately it cannot be configured in bridge mode, and Comcast tech support will not enable it (if it would even work). Thanks, Comcast.

Basically they want to sell you the $15/mo static IP. That's fine and all, but this client doesn't need a static IP. I want to setup a basic VPN using their existing router, but can't seem to get through the Comcast box. Double NAT and all that good stuff.

Anyone have experience with these things?

How are you going to have a reliable, stable VPN with a dynamic public IP? In the past I setup up the box by turning off DHCP on the SMC/Netgear router they supply and doing the following.

Firewall for True Static IP Subnet Only disabled
Gateway Smart Packet Detection disabled

Then set the WAN port on your real VPN router to DHCP and it will pickup a public IP.

 

[YeOldeStonecat]

I have a client with Comcast business internet service. They supply a gateway/router combo box. Unfortunately it cannot be configured in bridge mode, and Comcast tech support will not enable it (if it would even work). Thanks, Comcast.?

You put your own edge appliance behind it, and enable the true static subnet like MV mentioned above...I've done hundreds of 'em. Your own appliance gets the public IP address(es) on its WAN interface(s).

Although I always leave DHCP enabled on the SMC, no need to disable it when you static assign your own interfaces behind it. And you even get a nice separate subnet to do things like run a "guest" wireless behind, separate subnet from the production network.

 

[pceinc]

Yup, pretty much what the above have said. What resources will the client be accessing through the VPN? $15/mo for a static is cheap IMO unless this is not a business in which case I would tell them to buy a Logmein Pro account for $70/yr if all they need is remote access or the like.

 

[TAPtech]

Hmm, I found exactly what you guys are saying through a google search but could not get the public IP to come through, I'll have to try it again.

If this was a router-to-router, site-to-site VPN, then I would want a static IP on both sides. However, we're really using it for occasional access, so it would be nice to save the $15/mo. They already have a DDNS service.

I'll give it another shot and report back.

 

[YeOldeStonecat]

The extra time it would take you to setup the mickey mouse dyndns service...and the extra several times per year it will fail to connect for the client because the dynamic dns service didn't update yet...where did the savings go?

If it's a dynamic account, I don't believe the setup MV and I are talking about will work...you don't get additional public IPs on a dynamic account AFAIK. The SMC is taking your single IP. The approach MV and I are talking about is setting up the additional static IPs through the SMC.

 

[LifelineIT]

mark and some of these guys helped me through the same issue a few months ago. Comcast doesn't make it particularly easy.

The default address of the smc box is 10.1.10.1, the default login is "cusadmin" and the password is "highspeed". Everything you NEED is in there, just be aware that if you nuke DHCP in that box w/o telling your router where to find it that you will nuke the network requiring hard reset.

I was originally double NATted too, I finally just went in and removed my router from the equation and let the SMC box handle that, then turned my router into just another repeater, now I have 4 instead of 3.

 

[TAPtech]

Thank you all for the help and suggestions. The supplied SMC modem cannot be set into passthrough mode without a static IP. I personally think that supplying this as the standard modem to business clients is sub-par on the part of Comcast.

The purpose of the VPN is to get access to the onsite PBX statistics URL from time to time. Very non-critical check-ins on the part of the business owner. If they had a spare system running at the shop they could simply RDP to the thing, but that would be much more costly. Actually, a static IP would probably cost about the same in electricity costs alone

I completely understand what Mark and StoneCat are saying here- go pro and don't skimp out with the DDNS. However, they have an existing setup so it would be quick and easy, if their modem weren't the black-magic do-it-all box

I think the static IP is in order as he may want to setup a remote extension in his home office at some point, so I'm caving

Thanks guys.

 

[Markverhyden]

Even with the fixed IP you might still have limitations in what Comcast can/will do. You might look into getting the customer their own cable modem. This will give you complete control. Seen that many times with businesses as well as that is what I did for myself.

Link to research - http://mydeviceinfo.comcast.net/

 

[Frick]

My experience with Comcast is that if you want static ip(s) then you have to use their modem/gateway. If no static is needed then you can use your own modem.

 

[TAPtech]

Yes that was what the Comcast tech support agent said to me on the phone yesterday.

I like the Arris modems, they're simple and reliable (in my experience).

So basically the options are static IP with Comcast modem or dynamic with client-owned modem. Either one works for me, but I'm leaning towards static for future uses if the client will spring for it.

 

[YeOldeStonecat]

My experience with Comcast is that if you want static ip(s) then you have to use their modem/gateway. If no static is needed then you can use your own modem.

Yah. I recall hearing that. Cuz they need a "service IP" to control the public subnet you get. The SMC gets it's own public IP address which is different than your usable IP block (although often you'll see the SMC's pub IP will be your gateway out).

Tap...for the web interface of the PBX, why not just port forward to it..stick the PBX ethernet port on a static 10.1.10.10 or something..plug it into the SMC, do the port forwarding necessary. Secure the PBX of course with good passwords.

 

[TAPtech]

That's not a bad idea, but I would rather keep the PBX behind a good firewall that I trust and know how to configure.

I've set them up with the static IP, which completely resolved the VPN issues. Initially the client wanted a simple way to access the PBX status, but now that we have this capability, I've just ordered him two new IP phones for his home office. Actually, they're already here and configured, just need to pay him a visit and hook them up.

I use Yealink phones, they have an OpenVPN client built in! They work great with this setup.