pod moved into a larger office and had to get a new contract with Comcast Business for Internet service. We were told that it is not possible to simply move our old contract to a new location. Of course we are paying more after the move for the same service than before. But this is another story.
I scheduled the installation for a Saturday morning to minimize the disruption on the business from the downtime. A gentleman arrived on time and installed a Netgear CG3000DCR cable modem. This seems to be their preferred device for some reason, in spite of all the issues (that I unfortunately was not aware of yet at this point).
Soon after he left the movers arrived. The server rack needed disassembly to fit into the elevator and was delayed. It took several hours until I had the firewall and switch and domain server online. This is the minimal configuration that I can test our setup with. We had moved the static IP block over to the new account and my hope was that no configuration changes should be required to get everything back online. But it was not working – no inbound or outbound traffic with the default configuration that had been in use for many years at the old office with an SMC router (that we returned to the Comcast installer and that he had taken with him).
So I started to poke around at what was going on. The Netgear router spans a 10.1.10.0 subnet on the LAN side, but our pfSense device (a Netgate FW7535) could not see the WAN gateway, which was configured to be x.x.x.150. The firewall’s WAN IP was a static address from the external block, x.x.x.145. Once I changed the static IP to one from the CG3000DCR’s LAN subnet, for example, 10.1.10.2, and the gateway address to 10.1.10.1, stations on the network were able to get outside. But of course our static IPs were not working and were not visible to the outside world. Comcast support suggested that I should switch the modem to “Bridge Mode”, and this is done by turning off LAN DHCP. We tried and it did not change anything.
Off the phone again, I googled this and saw that people reported a variety of problems with the Netgear modem and static IP blocks. Without wasting much more time, I called Comcast support again and requested that the modem be replaced with an SMC model.
Sunday morning I was back in the office, waiting for another Comcast installer. The gentleman who came this time knew about issues with the Netgear modems. He could not explain them, but said that “network engineers” had told him that the Netgear modems do not forward the public IP addresses on the LAN side. Without much ado, he swapped the modems, installed an SMC Networks SMCD3G-CCR, and left.
I still did not have a working configuration right away, though, but this time I was more successful in resolving the issue. It turned out that my WAN gateway changes in pfSense from the day before somehow needed to be completely undone. Even though I had set the WAN gateway to x.x.x.150, the mere fact that a 10.1.10.1. WAN gateway was still defined (and configured to be the default) prevented stations from reaching the Internet. But when my laptop was connected to the SMC modem directly and acted as a DHCP client, it would get one of our external static IPs assigned from the SMC. So I knew that the modem passed through the static IPs correctly, and that the issue now was with pfSense. Once I discovered and deleted the default WAN gateway, everything started working as expected. It even did not matter if the SMC modem was in “bridge mode” or not, i.e. LAN DHCP is turned on or off. It handles public IPs correctly in either configuration.
It sees all public IPs on the LAN side and hands off packets correctly.
I am happy that everything is back up at the new site, of course, but I wonder if the Netgear modem really would not have worked. I never tried to connect my laptop to one of its ports and set it to be a DHCP client. But it had not worked initially with the firewall configuration unaltered, so I can’t help but assume that the modem was the cause, and that the Netgear modems don’t play well in this scenario.
Comcast maintains a list of supported modems and based on this information the SMC modem that I now have does not support IPv6. I can’t confirm this. It may need to be replaced again when I am forced to turn on IPv6 in our network. For now, things are good, and I recommend that you refuse the Comcast modem if they want to install a Netgear model.