Using DynDNS with Comcast Business Service and SMC8014 Modem

Trying to configure a VPN on a SonicWall TZ170 firewall behind a SMC8014 Modem.

When using other modems I have put the modem into bridge mode, the SonicWall then gets an public IP, and I use DynDNS as a virtual static IP for the VPN.

I am being told the only way to get a public IP to pass through an SMC8014 is to commit to a static ip (@~ $15 per month from Comcast).  Supposedly the SMC 8014 does not support bridge mode without a static IP assigned.

In other words, it won't do what a cheaper residential or other cable modem will do.

Also being told that Comcast won't allow your using a non-Comcast provided modem with their business class service.

Sounds like all they want to do is force you to pay for static IPs.  

Any one familiar with any workarounds for this.
Tomster2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dholbertCommented:
I have run into a similar situation where the setting was "bridged". It was worded as "share public ip" or something similar. It has been a while but basically the modem keeps the static ip but also alows router to use it and perform the routing.
Todd GerbertIT ConsultantCommented:
I would think that even with the Comcast modem doing NAT you should still be able to use DynDNS to update the address of a host name, you'd just need to configure the Comcast router to forward the VPN traffic to the SonicWall (or just have it send all inbound traffic to the SonicWall if all of your equipment is behind the SonicWall).
mooodiecrCommented:
Does the modem say SMC8014-BIZ on it?  If not then you are probably out of luck.  They specifically force this so that residential connections can't perform some business tasks.  However, from past experience with Comcast, you can complain until they give you the 8013, which can bridge dynamic IPs.  Also just FYI
IP: 10.1.10.1
Username: cusadmin
Password: highspeed
I don't know if that is still the same but was at one point the signin information for the SMC modems.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

digitapCommented:
are you wanting to setup a site-to-site VPN or use the global VPN client on the sonicwall?  if site-to-site, it MIGHT work if you use aggressive mode and set the static IP on the other end and have your TZ170 initiate the VPN.  if using the global VPN client, you can enable NAT Traversal at VPN > Advanced.  This states that your sonicwall is behind a router that performs NAT.  IPSEC doesn't like to be NAT'ed.  additionally, enable NAT Traversal regardless of which VPN method if you can't get the public IP on the TZ170.
Tomster2Author Commented:
Will be at the location tomorrow and try some of the suggestions.
Tomster2Author Commented:
additional info:

The modem just says SMC8014... not SMC8014-BIZ.
But this IS a business account - not a residential account
Traversal at VPN is enabled in the Sonicwall... the issue is finding the external ip of the modem consistently - which is what we were going to use DYNDNS for... - but we need bridge mode for that to work (that is how I have always done it in the past and is my understanding at this point, if that is not the case please enlighten me).
We called comcast on three different occassions:
one tech said that with this modem it could not be done.
second tech said OK, lets try... but when they put it in bridge mode, we rebooted the modem, then rebooted the sonicwall... and we could not access the internet.  Changing it back was fine.
Third tech said the only way they have been successful putting this modem in bridge mode was when it was assigned a static IP. Note: this matches the scenario mentioned by dholbert with a static ip)

We are not doing site to site.  We just want to use the Sonicwall global vpn client.

I have configured a pc with an ip of 10.1.10.2 /255.255.255.0 and a gateway of 10.1.10.1 - but cannot get to a login screen.
digitapCommented:
OK...great information!  my original thoughts were site-to-site.  With the GVC, you really are in a more challenging situation.  It's going to be difficult to establish a VPN into the sonicwall from behind the SMC.

Regarding bridge mode for the SMC, you might review the links below.  they've had good luck getting that configuration out of the SMC.  i'm just blown away that Comcast thinks that a business would want to rely on their equipment and wouldn't have their own firewall hardware.


http://justinribeiro.com/chronicle/2009/10/15/setting-up-a-static-ip-with-bridge-mode-for-smc-8014-and-m0n0wall/

http://broadbandreports.net/forum/r23360032-Real-Bridge-mode-on-SMC-80148015-Comcast-SFL
Tomster2Author Commented:
Thanks for the excellent threads.  I had not run across either one in my searches. Although we may not like the boat we are in, it is somehow comforting to know you are the only person in that boat.  It IS frustrating that this is a deliberate issue by comcast to force you to buy the static IP passage.

I have a home office with Comcast residental, I bought my own linksys CM100 modem, put a Sonicwall behind it and things are fine.

In the case of the site with the "Business Class" service, they cannot do this.  We will probably just cough up the annual pay to play fee for the static IPs even though using dyndns would meet our needs fine for a small fraction of the cost - if they allowed a decent modem.
digitapCommented:
Bummer...sorry they couldn't be more flexible.
Todd GerbertIT ConsultantCommented:
It doesn't matter how many NAT'ing routers you're behind, DynDNS should still always see the public IP address.  So, if the Comcast router's public IP is 38.5.7.151, and it's inside interface is 10.1.10.1 - your SonicWall's outside interface is 10.1.10.2, and the SonicWall's inside interface is 192.168.1.1 - if you setup DynDns in the SonicWall for "yourhost.dyndns.org", then yourhost.dyndns.org = 38.5.7.151.
You just need to be able to configure the Comcast router to forward incoming VPN traffic to the SonicWall.
digitapCommented:
although I agree with your DynDNS synaposis, the comcast can't NAT the IPSEC traffic.  this is the source of the trouble.  if you NAT the traffic, the VPN is likely going to fail.  NAT Traversal can be enabled in attempt around this, but there's no guarantee.
Todd GerbertIT ConsultantCommented:
Ahh, I misunderstood where the monkey wrench is in the works.
digitapCommented:
sure...complex is as complex does.
Tomster2Author Commented:
Thanks for the input... always helps to have the insights of people who have been down this road before.

Will be splitting the points.

Thanks to all.
digitapCommented:
your welcome and thanks for the points!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.