hugonieto
asked on
Comcast business IP gateway & Netgear prosafe Dual WAN FVS336G
Hi everyone,
Im back again!! I have a Dual WAN Netgear prosafe FVS336G firewall with one ISP on WAN1. The organization has another ISP (Comcast) sitting aside doing nothing. I'm thinking about connecting this second ISP to the WAN2 on the firewall. The modem from comcast is a Business IP Gateway Modem with a dynamic IP. Now, my questions are..... will be easy to set up this second ISP on the firewall. Will it mess up the ISP on WAN1? does it matter that the comcast modem has a dynamic IP? Will this second connection mess up my email server when sending or receiving emails? I just want to make sure I do it right! Do you have any idea of how to set up the Dual WAN firewall with Business IP Gateway with a dynamic IP from Comcast?
Thank you!
Im back again!! I have a Dual WAN Netgear prosafe FVS336G firewall with one ISP on WAN1. The organization has another ISP (Comcast) sitting aside doing nothing. I'm thinking about connecting this second ISP to the WAN2 on the firewall. The modem from comcast is a Business IP Gateway Modem with a dynamic IP. Now, my questions are..... will be easy to set up this second ISP on the firewall. Will it mess up the ISP on WAN1? does it matter that the comcast modem has a dynamic IP? Will this second connection mess up my email server when sending or receiving emails? I just want to make sure I do it right! Do you have any idea of how to set up the Dual WAN firewall with Business IP Gateway with a dynamic IP from Comcast?
Thank you!
You could get around that last point by using a dynamic DNS client to keep an A record up to date with the dynamic IP changes, & point the MX record at the dDNS A record, but if you can bind the SMTP traffic to the existing static IP WAN connection that would be much simpler. And unless you have a HUGE volume of mail traffic, you wouldn't see any noticeable gain in performance by load-balancing your mail traffic across 2 WAN connections any way.
:)
:)
ASKER
Thank you all for your responses!
I connected the Comcast to the WAN 2 in the firewall just to try it. When I used the auto detect settings I got a "DHCP service detected"!!! Ok! I enabled the LAN settings in the Comcast Business IP gateway to have a DHCP server the very first time I got it. So, I went back and I disabled it. I tried it again! This time I got a "No service detected - Configuration is set to default settings"
Ok! Now in the firewall for the WAN 2 I entered manually a static IP, subnetmask, gateway, and server names which I got from the Gateway summary on the modem from comcast. I know that this was stupid to do because the Comcast modem has a dynamic IP and I was 99% sure that it was not gonna work but I just did it...... This time I didn't get any errors but I can't have internet through WAN 2.... I tested it and nothing.... Page not found!!!! I'm sure it doesn't work because I put a static IP!!
I connected the Comcast to the WAN 2 in the firewall just to try it. When I used the auto detect settings I got a "DHCP service detected"!!! Ok! I enabled the LAN settings in the Comcast Business IP gateway to have a DHCP server the very first time I got it. So, I went back and I disabled it. I tried it again! This time I got a "No service detected - Configuration is set to default settings"
Ok! Now in the firewall for the WAN 2 I entered manually a static IP, subnetmask, gateway, and server names which I got from the Gateway summary on the modem from comcast. I know that this was stupid to do because the Comcast modem has a dynamic IP and I was 99% sure that it was not gonna work but I just did it...... This time I didn't get any errors but I can't have internet through WAN 2.... I tested it and nothing.... Page not found!!!! I'm sure it doesn't work because I put a static IP!!
As you've discovered, manually entering IP information overrides any DHCP assignments coming down the wire.
The Comcast connection won't work unless you configure the Netgear WAN2 interface to obtain its IP configuration via DHCP. If the router doesn't pick up the DHCP information, try restarting the modem while telling the Netgear to auto-detect the connection.
The PADI and PADO packets transmitted and received between the two devices during this time should result in the connection being successfully established and the DHCP lease being granted to the WAN2 port of your Netgear.
You should then be able to access the web via WAN2.
The Comcast connection won't work unless you configure the Netgear WAN2 interface to obtain its IP configuration via DHCP. If the router doesn't pick up the DHCP information, try restarting the modem while telling the Netgear to auto-detect the connection.
The PADI and PADO packets transmitted and received between the two devices during this time should result in the connection being successfully established and the DHCP lease being granted to the WAN2 port of your Netgear.
You should then be able to access the web via WAN2.
ASKER
Thanks Perarduaadastra, I will try that!
Something to consider here: if your Comcast Business IP Gateway device is configured to act as a router/gateway - and these kinds of devices almost always are, by default - then it's doing NAT: network address translation. This means that its public IP address, which it receives dynamically from Comcast on its external interface, is translated into a private IP subnet on its internal interface, to which it typically distributes IP addresses via DHCP.
Your Netgear device does basically the same thing, except that it has 2 external interfaces.
When you put one router/gateway behind another, you get a situation called "NAT behind NAT" - pretty self-explanatory if you understand what I wrote above about NAT. NAT behind NAT can cause all kinds of interesting, obscure issues, and is best avoided when possible.
Luckily, the folks that make gateway/routers are aware of this, so they include a functionality in these devices called "Bridge Mode", which will basically "bridge" the external and internal interfaces, and pass the public IP address right through the device to the second router.
Dang it! I slipped into teacher mode. Sorry. ;)
Short Version: You need to put the Comcast Business IP Gateway in Bridge Mode, then configure the Netgear WAN2 interface to get its IP dynamically via DHCP. It should then get the dynamic public IP address, and you should be up and running. (Don't forget to do the configuration for the mail server as described by Perarduaadastra, of course.)
:)
Your Netgear device does basically the same thing, except that it has 2 external interfaces.
When you put one router/gateway behind another, you get a situation called "NAT behind NAT" - pretty self-explanatory if you understand what I wrote above about NAT. NAT behind NAT can cause all kinds of interesting, obscure issues, and is best avoided when possible.
Luckily, the folks that make gateway/routers are aware of this, so they include a functionality in these devices called "Bridge Mode", which will basically "bridge" the external and internal interfaces, and pass the public IP address right through the device to the second router.
Dang it! I slipped into teacher mode. Sorry. ;)
Short Version: You need to put the Comcast Business IP Gateway in Bridge Mode, then configure the Netgear WAN2 interface to get its IP dynamically via DHCP. It should then get the dynamic public IP address, and you should be up and running. (Don't forget to do the configuration for the mail server as described by Perarduaadastra, of course.)
:)
ASKER
Thank you all for your responses!
@TekServer - I kind know how to make the email go out through the ISP on the first WAN but I'm not sure how to set up the comcast business IP gateway in bridge mode.... I'm sorry! could you please walk me through.....
@TekServer - I kind know how to make the email go out through the ISP on the first WAN but I'm not sure how to set up the comcast business IP gateway in bridge mode.... I'm sorry! could you please walk me through.....
Ah, I didn't realise that the Comcast modem did NAT. Broadband modems (as opposed to combined modem/router devices) here in the UK tend not to do that.
If you can provide a make and model on that Comcast Gateway, I'll try to find the info on how to put it in bridge mode. It should be fairly straightforward, but some aren't.
;)
;)
ASKER
Thanks so much TekServer!! Here is the make and model of the firewall...
Netgear prosafe Dual WAN vpn gigabit firewall fvs336g
Netgear prosafe Dual WAN vpn gigabit firewall fvs336g
Actually, it's the Comcast device we need to put in bridge mode, not the dual-WAN Netgear device.
;)
@Perarduaadastra: Don't sweat it. Here in the US, multiple internet-connected devices in one home is becoming the norm, so most cable modems are not only routers, but often WiFi routers as well.
:)
;)
@Perarduaadastra: Don't sweat it. Here in the US, multiple internet-connected devices in one home is becoming the norm, so most cable modems are not only routers, but often WiFi routers as well.
:)
ASKER
Oh!!!! Im sorry!! I don't know what I was thinking!!! I will provide it to you on Monday because I just got out of the office. Thank you!!!
ASKER
Hi TekServer!! Here is the right information!!
Comcast Business IP Gateway
Make- SMC Networks
Model - SMCD3G
Diagnostic-Tools.jpg
Comcast Business IP Gateway
Make- SMC Networks
Model - SMCD3G
Diagnostic-Tools.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi TekServer and thank you for all your help!!
I did what you suggested! Here is it...
1. SMC Land is set to 192.168.xx.4 - 255.255.255.0
2. I set the DMZ to 192.168.xx.5
3. I set the WAN2 static IP to 192.168.xx.5 with a gateway 192.168.xx.4
4. Because now I have WAN1 and WAN2 up I needed to put the WAN mode as a load balancing right?. So, because Comcast has a dynamic IP and emails won't go out through comcast ..... So, in the Protocol Binding section of the firewall I set up the service: SMTP, source network: any and destination network: my public IP from WAN1( ISP which has a static IP )..... I did this on both WAN1 and WAN2 in the Protocol Binding section.
Everything is working fine so far!! We have internet and we are sending and receiving emails as well!!!! I put the WAN mode to a single WAN port to test WAN2 and it is working!!! Now, is there a way to check if WAN2 is working when I have the WAN mode set to load balancing? I tried to test it like that but it said that I needed to have the WAN2 as a single WAN port to be able to test it. Basically, I just want to know if the two ISPs are working and are load balancing the network traffic. Also, do you think I should put the services for HTTP AND HTTPS in the Protocol Binding section to go through my Public IP in the WAN1?
One more question..... in the firewall's tap SECURITY under the section firewall I opened the ports for HTTP, HTTPS, AND SMTP........ Should I changed anything in here? because the outbound services are set to any WAN users and the in bound services destination are set to WAN1....... What do you think? do think the way I did is wrong or might mess things up eve though is working?
Thank you!
I did what you suggested! Here is it...
1. SMC Land is set to 192.168.xx.4 - 255.255.255.0
2. I set the DMZ to 192.168.xx.5
3. I set the WAN2 static IP to 192.168.xx.5 with a gateway 192.168.xx.4
4. Because now I have WAN1 and WAN2 up I needed to put the WAN mode as a load balancing right?. So, because Comcast has a dynamic IP and emails won't go out through comcast ..... So, in the Protocol Binding section of the firewall I set up the service: SMTP, source network: any and destination network: my public IP from WAN1( ISP which has a static IP )..... I did this on both WAN1 and WAN2 in the Protocol Binding section.
Everything is working fine so far!! We have internet and we are sending and receiving emails as well!!!! I put the WAN mode to a single WAN port to test WAN2 and it is working!!! Now, is there a way to check if WAN2 is working when I have the WAN mode set to load balancing? I tried to test it like that but it said that I needed to have the WAN2 as a single WAN port to be able to test it. Basically, I just want to know if the two ISPs are working and are load balancing the network traffic. Also, do you think I should put the services for HTTP AND HTTPS in the Protocol Binding section to go through my Public IP in the WAN1?
One more question..... in the firewall's tap SECURITY under the section firewall I opened the ports for HTTP, HTTPS, AND SMTP........ Should I changed anything in here? because the outbound services are set to any WAN users and the in bound services destination are set to WAN1....... What do you think? do think the way I did is wrong or might mess things up eve though is working?
Thank you!
You asked several follow-up questions there, so I'll try to address each of them briefly.
>> Now, is there a way to check if WAN2 is working when I have the WAN mode set to load balancing?
Hmm. Well, if you download & install PingPlotter (I'd go with a trial version of Standard for now), you can use it to run a trace out to a web site - say Google - and watch the results. If the load balancing is working, you should see periodic route changes as some packets go out WAN1 and some go out WAN2.
You also might get some interesting results from http://www.speedtest.net, though I wouldn't count on them being conclusive. ;)
>> Also, do you think I should put the services for HTTP AND HTTPS in the Protocol Binding section to go through my Public IP in the WAN1?
If you have a web server, incoming HTTP and HTTPS traffic will be coming in via whichever IP address is pointed to by the www DNS record - which I would assume would be the static address on WAN1. This will be unaffected by outgoing HTTP and HTTPS traffic, so there's no reason not to load-balance the outgoing side - thus no reason to do any protocol binding on these protocols (at least as I understand it).
>> One more question..... in the firewall's tap SECURITY under the section firewall I opened the ports for HTTP, HTTPS, AND SMTP........ Should I changed anything in here?
If I understand this correctly, this means that you have internal web and mail servers, and in this section you have forwarded the appropriate ports through the firewall from WAN1 to these servers. Assuming I've understood correctly, this sounds right.
>> What do you think? do think the way I did is wrong or might mess things up eve though is working?
Assuming the PingPlotter test shows that the load balancing is working, I think you're good to go!
:)
>> Now, is there a way to check if WAN2 is working when I have the WAN mode set to load balancing?
Hmm. Well, if you download & install PingPlotter (I'd go with a trial version of Standard for now), you can use it to run a trace out to a web site - say Google - and watch the results. If the load balancing is working, you should see periodic route changes as some packets go out WAN1 and some go out WAN2.
You also might get some interesting results from http://www.speedtest.net, though I wouldn't count on them being conclusive. ;)
>> Also, do you think I should put the services for HTTP AND HTTPS in the Protocol Binding section to go through my Public IP in the WAN1?
If you have a web server, incoming HTTP and HTTPS traffic will be coming in via whichever IP address is pointed to by the www DNS record - which I would assume would be the static address on WAN1. This will be unaffected by outgoing HTTP and HTTPS traffic, so there's no reason not to load-balance the outgoing side - thus no reason to do any protocol binding on these protocols (at least as I understand it).
>> One more question..... in the firewall's tap SECURITY under the section firewall I opened the ports for HTTP, HTTPS, AND SMTP........ Should I changed anything in here?
If I understand this correctly, this means that you have internal web and mail servers, and in this section you have forwarded the appropriate ports through the firewall from WAN1 to these servers. Assuming I've understood correctly, this sounds right.
>> What do you think? do think the way I did is wrong or might mess things up eve though is working?
Assuming the PingPlotter test shows that the load balancing is working, I think you're good to go!
:)
ASKER
Thanks TekServer!!!
I think we spoke to soon!! I'm able to have internet from both ISPs and PingPlotter shows that load balancing is working fine!! However, the email part is not working very well...... we get emails without any problems!!! we send emails out and they go but then we send again and they don't go out! We get an email with an error saying "mx.google.com gave this error: The IP you're using to send mail is not authorized to send email directly to our servers" of course this is because emails are trying to go out through the comcast business IP gateway which has a dynamic IP. The thing is that it kind switch over between the WAN1 and WAN2 when sending emails out! and that's why sometimes we are able to send emails out and sometimes not...... even though I set the Protocol Binding section to take the SMTP services through our WAN1 which has a static IP to avoid this kind of problems! What Im doing wrong! I'm sure I'm doing something wrong on the firewall!!
I think we spoke to soon!! I'm able to have internet from both ISPs and PingPlotter shows that load balancing is working fine!! However, the email part is not working very well...... we get emails without any problems!!! we send emails out and they go but then we send again and they don't go out! We get an email with an error saying "mx.google.com gave this error: The IP you're using to send mail is not authorized to send email directly to our servers" of course this is because emails are trying to go out through the comcast business IP gateway which has a dynamic IP. The thing is that it kind switch over between the WAN1 and WAN2 when sending emails out! and that's why sometimes we are able to send emails out and sometimes not...... even though I set the Protocol Binding section to take the SMTP services through our WAN1 which has a static IP to avoid this kind of problems! What Im doing wrong! I'm sure I'm doing something wrong on the firewall!!
Well, the first thing I would do is double- and triple-check all your settings on the Protocol Binding page; in particular, the Source Network address (or range).
Next, I would double check the settings your mail server. If you have an anti-spam appliance like an IronPort or a Barracuda Spam Firewall, your mail server may be sending mail to it first to be filtered and then sent out; if this is the case you'll need to adjust your Source Network settings to the IP address of the anti-spam appliance rather than the mail server. Also, if your mail server is configured for SMTPS, you'll need to add another Protocol Binding entry for this protocol (port 465). Similarly, if your mail server is using the Message Submission port (587) instead of SMTP (25) you may need to alter your existing Protocol Binding or add a new one.
If none of that fixes the problem, post some screenshots of the Protocol Binding page and the error messages you're receiving, and I'll see if I can spot something there.
:)
Next, I would double check the settings your mail server. If you have an anti-spam appliance like an IronPort or a Barracuda Spam Firewall, your mail server may be sending mail to it first to be filtered and then sent out; if this is the case you'll need to adjust your Source Network settings to the IP address of the anti-spam appliance rather than the mail server. Also, if your mail server is configured for SMTPS, you'll need to add another Protocol Binding entry for this protocol (port 465). Similarly, if your mail server is using the Message Submission port (587) instead of SMTP (25) you may need to alter your existing Protocol Binding or add a new one.
If none of that fixes the problem, post some screenshots of the Protocol Binding page and the error messages you're receiving, and I'll see if I can spot something there.
:)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you guys!
Here are some pictures from the protocol binding section..... I set up the single IP option for the destination network for WAN1 and WAN2..... The IP is the static IP from my other ISP set up on the WAN1 port.
WAN1-PRTOCOL-BINDING.png
WAN2-PRTOCOL-BINDING.png
Here are some pictures from the protocol binding section..... I set up the single IP option for the destination network for WAN1 and WAN2..... The IP is the static IP from my other ISP set up on the WAN1 port.
WAN1-PRTOCOL-BINDING.png
WAN2-PRTOCOL-BINDING.png
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Tekserver: I'd seen that too, but only after I posted! Still, hugonieto should be sorted now.
ASKER
Thank you so much guys!!!!!! It looks that it is working now!! I have been testing it by sending emails out for the last 10 minutes and they go out!!! THANK YOU!! I really appreciate all the help!!
Thanks, glad we could help!
:)
:)
You're right to be cautious about the implications for your email though; if your mail server starts sending mail from the new dynamic IP address it won't be long before your email domain and the dynamic IP address start appearing on RBLs. You can configure the Netgear so that SMTP traffic is bound to a particular WAN interface, thus preventing the wrong IP address appearing in your email headers with the consequent mismatch in the rDNS lookups that a great many mail servers do as a matter of course.
As the Comcast IP is dynamic there isn't much point in adding it to your existing MX records, as you could find yourself updating those records quite frequently...