doritang
asked on
Network set up with Comcast cable modem SMC8013WG
Hi,
I recently got Comcast High speed cable modem at home with 5 static IPs. I would be grateful if some one can recommend a good solution to network 2 servers such that they can be accessed from the outside using 2 of the 5 static IPs. I plan to attach 2 linux servers to the modem. The modem config is as follows:
Cable Modem external IP/Gateway: 70.90.xxx.206 (5 static: 70.90.xxx.201 to 205)
Cable Modem internal IP: 10.1.10.1
The cable modem does provide NAT/port fwd option when login into it using the 10.1.10.1
Internal network range of IPs for computers: 10.1.10.10 to 10.1.10.199
2 linux servers running red hat ES 2.1
Goal:
1. The right way to hook/network the 2 linux servers to the cable modem
2. What IPs assign to my 2 linux servers---how?
3. To make sure that the 2 linux servers are accessible from the outside (lets say 70.90.xxx.201, 202)
4. Do I need to use a proxy server? How to set it up.
Since I'm new to networking, as much detail is required as possible or please guide to me to an article/book to set it up.
Many thanks in return.
I recently got Comcast High speed cable modem at home with 5 static IPs. I would be grateful if some one can recommend a good solution to network 2 servers such that they can be accessed from the outside using 2 of the 5 static IPs. I plan to attach 2 linux servers to the modem. The modem config is as follows:
Cable Modem external IP/Gateway: 70.90.xxx.206 (5 static: 70.90.xxx.201 to 205)
Cable Modem internal IP: 10.1.10.1
The cable modem does provide NAT/port fwd option when login into it using the 10.1.10.1
Internal network range of IPs for computers: 10.1.10.10 to 10.1.10.199
2 linux servers running red hat ES 2.1
Goal:
1. The right way to hook/network the 2 linux servers to the cable modem
2. What IPs assign to my 2 linux servers---how?
3. To make sure that the 2 linux servers are accessible from the outside (lets say 70.90.xxx.201, 202)
4. Do I need to use a proxy server? How to set it up.
Since I'm new to networking, as much detail is required as possible or please guide to me to an article/book to set it up.
Many thanks in return.
I usually recommend that people that want to do this just get a better cable modem, than the standard one the ISP gives you. I highly recommend the SBG1000 from Motorola or the SBG900. Both have NAT, port forwarding, a firewall with stateful packet inspection, etc. You then just plug in your machines, configure port forwarding or use a DMZ and assign your machines the public IP addresses. Its a lot easier than it sounds, but that would be the best way. You can always add a router, but that just adds one more device and one more point of failure. I have a similar setup at home, I have a Motorola SBG900, which has port forwarding for various services pointed to my firewall (which is not necessary, but I have it anyway for added security). The firewall then forwards the ports to the LAN IP I specify. I don't have to have multiple IP addresses to get my home network to function the way I want. Port forwarding works nicely. Although I could always do the DMZ thing in my cable modem if I wanted to. But then I'd have to buy IPs from them. Keep in mind that hosting some types of servers on your home network might be against the ISP terms of service. For example, hosting a mail server.
There are several diffrent brands of routers and firewalls that you can use that are made by different vendors. I always feel it is best to go with the brands that you feel comfortable working with like linksys, netgear,d-link, zyxel, ect. It really depends on your budget and your networking know how. Basically what you need to find is a router or firewall that supports multi-nat, or full-feature NAT. As for myself I like working with ZyXEL Zywalls but here are some resources for you to look at:
Zywall 2:
http://us.zyxel.com/products/model.php?indexcate=1044940679&indexcate1=1123007871&indexFlagvalue=1021873683
Here is an article from toms networking about this subject with a few suggestions:
http://www.smallnetbuilder.com/FAQ-7-Hardware+Routers-5.php
Products with this capability include the SMC7004VBR, SMC2804WBR, ZyXEL ZyAIR G-2000 and ASUS SL1000 Internet Security Router.
Hope this helps and happy networking!
Cubemonkey
Zywall 2:
http://us.zyxel.com/products/model.php?indexcate=1044940679&indexcate1=1123007871&indexFlagvalue=1021873683
Here is an article from toms networking about this subject with a few suggestions:
http://www.smallnetbuilder.com/FAQ-7-Hardware+Routers-5.php
Products with this capability include the SMC7004VBR, SMC2804WBR, ZyXEL ZyAIR G-2000 and ASUS SL1000 Internet Security Router.
Hope this helps and happy networking!
Cubemonkey
Also here is a zyxel artical on multi-NAT:
http://www.zyxel.com/support/supportnote/zywall2_2WE/app/multi_nat.htm
http://www.zyxel.com/support/supportnote/zywall2_2WE/app/multi_nat.htm
Unfortuneately, MCPJoe's suggestion of getting a different cable modem will not be an option. Comcast delivers their static IP's via RIPV2, and in order to accomplish this there is a RIP KEY that needs to be set on the modem in order for it to authenticate with the routers to update the routing tables.
As well, you will be unable to place a firewall of any sort between your computer and the modem, unless you are able to forward ports back to the servers as the static IP's will NOT route through any other devices.
You can assign any of your IP's to your two linux servers, just remember the subnet will be 255.255.255.248. As well, in order to ensure that all traffic is directed to your computers, without the SMC's firewall interferring, you will have to log into the firewall and disable the LAN Firewall (Click firewall on the left, then take the checkmark out of "Enable Public LAN Firewall", then press apply).
To log into the modem, browse to http://10.1.10.1 , and use the username and password provided by comcast. Since I work for comcast, I cannot post the default username and password for the router due to Comcast's security concerns, but you can do a quick google search or just call the business support at 800-316-1619 , so long as you are the authorized contact on the account.
I would recommend using IPCHAINS on the linux servers for your firewalling software. Also keep in mind if you want local clients that are using the 10.1.10 addresses to be able to access these servers, you will actually have to assign them with a second IP address that is in that network range. 10.1.10 computers on the local network are unable to communicate with the 70. IP's properly.
If you run into any problems, their tech support is available 24/7 and can verify your settings for you if needed.
As well, you will be unable to place a firewall of any sort between your computer and the modem, unless you are able to forward ports back to the servers as the static IP's will NOT route through any other devices.
You can assign any of your IP's to your two linux servers, just remember the subnet will be 255.255.255.248. As well, in order to ensure that all traffic is directed to your computers, without the SMC's firewall interferring, you will have to log into the firewall and disable the LAN Firewall (Click firewall on the left, then take the checkmark out of "Enable Public LAN Firewall", then press apply).
To log into the modem, browse to http://10.1.10.1 , and use the username and password provided by comcast. Since I work for comcast, I cannot post the default username and password for the router due to Comcast's security concerns, but you can do a quick google search or just call the business support at 800-316-1619 , so long as you are the authorized contact on the account.
I would recommend using IPCHAINS on the linux servers for your firewalling software. Also keep in mind if you want local clients that are using the 10.1.10 addresses to be able to access these servers, you will actually have to assign them with a second IP address that is in that network range. 10.1.10 computers on the local network are unable to communicate with the 70. IP's properly.
If you run into any problems, their tech support is available 24/7 and can verify your settings for you if needed.
If you have comcast workplace you most likely have an SMC 8013. The best way to do this varies greatly on what you are doing.
If you feel the linux servers are quite secure you can simply assign an public IP to the servers. For example if your gateway (the one on the SMC) IP address is 70.90.22.22 (just an example) then you can assign 70.90.22.21 and 70.90.22.20 to your linux servers using a gateway of 70.90.22.22 and a /29 mask (255.255.255.248).
If you want you can also put a firewall/router behind the SMC and assign a public IP to that instead. I kind of prefer this way since it is alot more secure.
INSIDE TIP: Make sure you are using the correct DNS settings. NS1.comcastbusiness.net has been have load issues. Try using ns4, and ns5 (208.39.158.2 and 64.56.37.246)
Good luck.
If you feel the linux servers are quite secure you can simply assign an public IP to the servers. For example if your gateway (the one on the SMC) IP address is 70.90.22.22 (just an example) then you can assign 70.90.22.21 and 70.90.22.20 to your linux servers using a gateway of 70.90.22.22 and a /29 mask (255.255.255.248).
If you want you can also put a firewall/router behind the SMC and assign a public IP to that instead. I kind of prefer this way since it is alot more secure.
INSIDE TIP: Make sure you are using the correct DNS settings. NS1.comcastbusiness.net has been have load issues. Try using ns4, and ns5 (208.39.158.2 and 64.56.37.246)
Good luck.
One way we have done this in the past is to create a DMZ (using a small switch or using part of a programmable switch by creating a VLAN) then plug your firewall(s) and cable modem into this DMZ.
The firewalls we use a are cheap Netgear units that only support one IP address each so for each public address we have to add another. On the upside we can run another web server for each one we add. Of course, you still need port forwarding enabled for the specific services (web, mail, etc.) that you are supporting with each firewall.
If you are lucky enough to have a firewall that support multiple external IP addresses then you don't need the DMZ (switch). If not (and you want to follow our pattern) then you need another switch and another firewall for each IP address you add.
The firewalls we use a are cheap Netgear units that only support one IP address each so for each public address we have to add another. On the upside we can run another web server for each one we add. Of course, you still need port forwarding enabled for the specific services (web, mail, etc.) that you are supporting with each firewall.
If you are lucky enough to have a firewall that support multiple external IP addresses then you don't need the DMZ (switch). If not (and you want to follow our pattern) then you need another switch and another firewall for each IP address you add.
ASKER
Thanks much all of you!!!
Savone--
I will try your simple strategy first (since new to networking) to see if it works directly with static IPs. I understand that I do not need to assign local IPs to the servers like 10.1.10.10, 11, 12 and so on. Correct? Just hook to the back of the SMC modem and assign the given static IPs to both of my servers as you mentioned.
I will get back later this evening to let you know what happens after setting up your way.
Savone--
I will try your simple strategy first (since new to networking) to see if it works directly with static IPs. I understand that I do not need to assign local IPs to the servers like 10.1.10.10, 11, 12 and so on. Correct? Just hook to the back of the SMC modem and assign the given static IPs to both of my servers as you mentioned.
I will get back later this evening to let you know what happens after setting up your way.
Both Bill and Savone are correct. And I agree with Savone that it appears that ns1 has been having load issues and using other dns servers would be preferable to that one in particular.
ASKER
Savone/Bill--
Does it matter if DHCP is on on SMC8013 for my wireless connection (linksys wireless router) connected to the same modem. That is working fine for my PCs at home.
Savone--
I did as per your instructions:
Linux 1: Gateway: 255.255.255.248
Does it matter if DHCP is on on SMC8013 for my wireless connection (linksys wireless router) connected to the same modem. That is working fine for my PCs at home.
Savone--
I did as per your instructions:
Linux 1: Gateway: 255.255.255.248
ASKER
Sorry.....my mistake above ....
Gateway : 70.90.xxx.x06, Static IP: 70.90.xxx.x05....provided the primary and secondary DNS as 208.39.158.2 and 64.56.37.246.
I can connect to the outside world...However, when I try http://70.90.xxx.x05 from my notebook on the same cable modem via wireless....I see the page not found error, although the linux server has Apache2.0 running on port 80.
May be I need to be outside of my home domain?? I will check tomorrow from my office.
Please let me know if that is the case or is there something else you guys might think happening.
Gateway : 70.90.xxx.x06, Static IP: 70.90.xxx.x05....provided the primary and secondary DNS as 208.39.158.2 and 64.56.37.246.
I can connect to the outside world...However, when I try http://70.90.xxx.x05 from my notebook on the same cable modem via wireless....I see the page not found error, although the linux server has Apache2.0 running on port 80.
May be I need to be outside of my home domain?? I will check tomorrow from my office.
Please let me know if that is the case or is there something else you guys might think happening.
Please re-read my earlier post regarding this:
Iwould recommend using IPCHAINS on the linux servers for your firewalling software. Also keep in mind if you want local clients that are using the 10.1.10 addresses to be able to access these servers, you will actually have to assign them with a second IP address that is in that network range. 10.1.10 computers on the local network are unable to communicate with the 70. IP's properly.
Therefore, if you are tryign to browse from locally, you will have to browse to the second ip address you gave it, the 10.1.10 address.
Iwould recommend using IPCHAINS on the linux servers for your firewalling software. Also keep in mind if you want local clients that are using the 10.1.10 addresses to be able to access these servers, you will actually have to assign them with a second IP address that is in that network range. 10.1.10 computers on the local network are unable to communicate with the 70. IP's properly.
Therefore, if you are tryign to browse from locally, you will have to browse to the second ip address you gave it, the 10.1.10 address.
ASKER
Bill--
Thanks for the info. I would use IPCHAINS for firewall. However, I cannot access my server via IP 70.90.xxx.x05 (from outside the cable domain) as stated above to set it up by hooking it to the modem and setting up the static IP's directly. The firewall on the modem is NOT enabled either. I probably will call comcast later today to see if they can help.
Thanks for the info. I would use IPCHAINS for firewall. However, I cannot access my server via IP 70.90.xxx.x05 (from outside the cable domain) as stated above to set it up by hooking it to the modem and setting up the static IP's directly. The firewall on the modem is NOT enabled either. I probably will call comcast later today to see if they can help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In regards to the question about the DHCP server. It will only make a difference if the SMC is plugged into the LAN side of the Linksys router. If you have it on the WAN/Internet side then the DHCP Servers will never clash (You can log into the SMC and disable the DHCP server inside of it, but ensure that you statically set your ip for the Linksys before you do that.
Am I understanding correctly that you can connect to the outside world when you are using the 70.90.x.205 static ip on the server? I'm just double checking. If so, and you have turned off the firewall then double check that Apache is running (double check you have it initializing when you start the server or activate it yourself) and that the linux firewall is allowing connections on port 80 (I ran into issues when using the higher security firewall linux settings, even when I set it to the lowest settings that I could, in the end I simply disabled them).
If you can't connect on port 80 to the server from the outside world, trying pinging the static IP and the static gateway that you have. (the 70.90.x.206)
It appears to be a server setting at this point since you can connect to the internet from that server while utilizing the static IP.
Am I understanding correctly that you can connect to the outside world when you are using the 70.90.x.205 static ip on the server? I'm just double checking. If so, and you have turned off the firewall then double check that Apache is running (double check you have it initializing when you start the server or activate it yourself) and that the linux firewall is allowing connections on port 80 (I ran into issues when using the higher security firewall linux settings, even when I set it to the lowest settings that I could, in the end I simply disabled them).
If you can't connect on port 80 to the server from the outside world, trying pinging the static IP and the static gateway that you have. (the 70.90.x.206)
It appears to be a server setting at this point since you can connect to the internet from that server while utilizing the static IP.
ASKER
got it working.....along with DHCP.......assigned both external and internal IPs. Disabled firewall on the linux server.....can access Apache as well as ssh. Test it on the LAN and from outside of the cable domain using static IP.
Thanks all of you....especially Bill, Savone, John.........
now on to 2nd linux server.............
Thanks all of you....especially Bill, Savone, John.........
now on to 2nd linux server.............
http://www.oreilly.com/catalog/fire2/