• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2790
  • Last Modified:

Comcast business IP gateway & Netgear prosafe Dual WAN FVS336G

Hi everyone,

Im back again!! I have a Dual WAN Netgear prosafe FVS336G firewall with one ISP on WAN1. The organization has another ISP (Comcast) sitting aside doing nothing. I'm thinking about connecting this second ISP to the WAN2 on the firewall. The modem from comcast is a Business IP Gateway Modem with a dynamic IP. Now, my questions are..... will be easy to set up this second ISP on the firewall. Will it mess up the ISP on WAN1? does it matter that the comcast modem has a dynamic IP? Will this second connection mess up my email server when sending or receiving emails? I just want to make sure I do it right! Do you have any idea of how to set up the Dual WAN firewall with Business IP Gateway with a dynamic IP from Comcast?

Thank you!
0
hugonieto
Asked:
hugonieto
  • 10
  • 9
  • 6
4 Solutions
 
PerarduaadastraCommented:
The FVS336G should be fine with the dynamic public IP assigned by Comcast.

You're right to be cautious about the implications for your email though; if your mail server starts sending mail from the new dynamic IP address it won't be long before your email domain and the dynamic IP address start appearing on RBLs. You can configure the Netgear so that SMTP traffic is bound to a particular WAN interface, thus preventing the wrong IP address appearing in your email headers with the consequent mismatch in the rDNS lookups that a great many mail servers do as a matter of course.

As the Comcast IP is dynamic there isn't much point in adding it to your existing MX records, as you could find yourself updating those records quite frequently...
0
 
TekServerCommented:
You could get around that last point by using a dynamic DNS client to keep an A record up to date with the dynamic IP changes, & point the MX record at the dDNS A record, but if you can bind the SMTP traffic to the existing static IP WAN connection that would be much simpler.  And unless you have a HUGE volume of mail traffic, you wouldn't see any noticeable gain in performance by load-balancing your mail traffic across 2 WAN connections any way.

:)
0
 
hugonietoAuthor Commented:
Thank you all for your responses!

I connected the Comcast to the WAN 2 in the firewall just to try it. When I used the auto detect settings I got a "DHCP service detected"!!! Ok! I enabled the LAN settings in the Comcast Business IP gateway to have a DHCP server the very first time I got it. So, I went back and I disabled it. I tried it again! This time I got a "No service detected - Configuration is set to default settings"

Ok! Now in the firewall for the WAN 2 I entered manually a static IP, subnetmask, gateway, and server names which I got from the Gateway summary on the modem from comcast. I know that this was stupid to do because the Comcast modem has a dynamic IP and I was 99% sure that it was not gonna work but I just did it...... This time I didn't get any errors but I can't have internet through WAN 2.... I tested it and nothing.... Page not found!!!! I'm sure it doesn't work because I put a static IP!!
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
PerarduaadastraCommented:
As you've discovered, manually entering IP information overrides any DHCP assignments coming down the wire.

The Comcast connection won't work unless you configure the Netgear WAN2 interface to obtain its IP configuration via DHCP. If the router doesn't pick up the DHCP information, try restarting the modem while telling the Netgear to auto-detect the connection.
The PADI and PADO packets transmitted and received between the two devices during this time should result in the connection being successfully established and the DHCP lease being granted to the WAN2 port of your Netgear.

You should then be able to access the web via WAN2.
0
 
hugonietoAuthor Commented:
Thanks Perarduaadastra, I will try that!
0
 
TekServerCommented:
Something to consider here:  if your Comcast Business IP Gateway device is configured to act as a router/gateway - and these kinds of devices almost always are, by default - then it's doing NAT:  network address translation.  This means that its public IP address, which it receives dynamically from Comcast on its external interface, is translated into a private IP subnet on its internal interface, to which it typically distributes IP addresses via DHCP.

Your Netgear device does basically the same thing, except that it has 2 external interfaces.

When you put one router/gateway behind another, you get a situation called "NAT behind NAT" - pretty self-explanatory if you understand what I wrote above about NAT.  NAT behind NAT can cause all kinds of interesting, obscure issues, and is best avoided when possible.

Luckily, the folks that make gateway/routers are aware of this, so they include a functionality in these devices called "Bridge Mode", which will basically "bridge" the external and internal interfaces, and pass the public IP address right through the device to the second router.

Dang it!  I slipped into teacher mode.  Sorry.  ;)

Short Version:  You need to put the Comcast Business IP Gateway in Bridge Mode, then configure the Netgear WAN2 interface to get its IP dynamically via DHCP.  It should then get the dynamic public IP address, and you should be up and running.  (Don't forget to do the configuration for the mail server as described by Perarduaadastra, of course.)

:)
0
 
hugonietoAuthor Commented:
Thank you all for your responses!

@TekServer - I kind know how to make the email go out through the ISP on the first WAN but I'm not sure how to set up the comcast business IP gateway in bridge mode.... I'm sorry! could you please walk me through.....
0
 
PerarduaadastraCommented:
Ah, I didn't realise that the Comcast modem did NAT. Broadband modems (as opposed to combined modem/router devices) here in the UK  tend not to do that.
0
 
TekServerCommented:
If you can provide a make and model on that Comcast Gateway, I'll try to find the info on how to put it in bridge mode.  It should be fairly straightforward, but some aren't.

;)
0
 
hugonietoAuthor Commented:
Thanks so much TekServer!! Here is the make and model of the firewall...


Netgear prosafe Dual WAN vpn gigabit firewall fvs336g
0
 
TekServerCommented:
Actually, it's the Comcast device we need to put in bridge mode, not the dual-WAN Netgear device.

;)

@Perarduaadastra:  Don't sweat it.  Here in the US, multiple internet-connected devices in one home is becoming the norm, so most cable modems are not only routers, but often WiFi routers as well.

:)
0
 
hugonietoAuthor Commented:
Oh!!!! Im sorry!! I don't know what I was thinking!!! I will provide it to you on Monday because I just got out of the office. Thank you!!!
0
 
hugonietoAuthor Commented:
Hi TekServer!! Here is the right information!!


Comcast Business IP Gateway

Make- SMC Networks
Model - SMCD3G
Diagnostic-Tools.jpg
0
 
TekServerCommented:
I've done a lot of Googling today.

Apparently, this device can't actually be put into bridge mode.  I'm a little unclear as to whether this is due to the way Comcast has their network set up, or the design of this SMC device, or both.

However, if I've understood what I've gleaned from various forums correctly, you can achieve basically the same thing by configuring several settings.  What you'll be doing is routing, rather than bridging, but for your purposes the end results should be indistinguishable.

So here's what you need to do:

On the SMC
In the Firewall section
CHK Disable Firewall for True Static IP Subnet Only
CHK Disable Gateway Smart Packet Detection
NOCHK Disable Ping on WAN Interface

In DMZ section
CHK Enable DMZ Host
and in "Please enter the IP address of the computer that you wish to add to the DMZ below" - 10.1.10.2

Now, in the Netgear, set the WAN2 interface to a static IP address of 10.1.10.2.

(Source.)

Actually, I'm making an assumption here:  I'm assuming that the LAN interface of your SMC is set to 10.1.10.1, like the example I pulled from that forum.  if not, you'll need to change that last part as appropriate.  For example, if the SMC's LAN interface is set to 192.168.1.1, set the Netgear WAN2 interface to 192.168.1.2 and put that in as the DMZ address in the SMC.  (Just make sure that the "DMZ" subnet is not the same as the LAN subnet behind the Netgear.)

There have been several experts in various forums that have advocated contacting Comcast tech support & getting their help with this.  Whether you want to configure the SMC device yourself, or wrangle with Comcast and hope you get a tech support rep that understands what you want, that's a decision I leave in your hands.

;)
0
 
hugonietoAuthor Commented:
Hi TekServer and thank you for all your help!!

I did what you suggested! Here is it...

1. SMC Land is set to 192.168.xx.4   -  255.255.255.0
2. I set the DMZ to 192.168.xx.5
3. I set the WAN2 static IP to 192.168.xx.5 with a gateway 192.168.xx.4
4. Because now I have WAN1 and WAN2 up I needed to put the WAN mode as a load balancing right?. So, because Comcast has a dynamic IP and emails won't go out through comcast ..... So, in the Protocol Binding section of the firewall I set up the service: SMTP,  source network: any and destination network: my public IP from WAN1( ISP which has a static IP )..... I did this on both WAN1 and WAN2 in the Protocol Binding section.

Everything is working fine so far!! We have internet and we are sending and receiving emails as well!!!! I put the WAN mode to a single WAN port to test WAN2 and it is working!!! Now, is there a way to check if WAN2 is working when I have the WAN mode set to load balancing? I tried to test it like that but it said that I needed to have the WAN2 as a single WAN port to be able to test it. Basically, I just want to know if the two ISPs are working and are load balancing the network traffic. Also, do you think I should put the services for HTTP AND HTTPS in the Protocol Binding section to go through my Public IP in the WAN1?

One more question..... in the firewall's tap SECURITY under the section firewall I opened the ports for HTTP, HTTPS, AND SMTP........ Should I changed anything in here? because the outbound services are set to any WAN users and the in bound services destination are set to WAN1....... What do you think? do think the way I did is wrong or might mess things up eve though is working?


Thank you!
0
 
TekServerCommented:
You asked several follow-up questions there, so I'll try to address each of them briefly.

>> Now, is there a way to check if WAN2 is working when I have the WAN mode set to load balancing?

Hmm.  Well, if you download & install PingPlotter (I'd go with a trial version of Standard for now), you can use it to run a trace out to a web site - say Google - and watch the results.  If the load balancing is working, you should see periodic route changes as some packets go out WAN1 and some go out WAN2.
You also might get some interesting results from http://www.speedtest.net, though I wouldn't count on them being conclusive.  ;)

>> Also, do you think I should put the services for HTTP AND HTTPS in the Protocol Binding section to go through my Public IP in the WAN1?

If you have a web server, incoming HTTP and HTTPS traffic will be coming in via whichever IP address is pointed to by the www DNS record - which I would assume would be the static address on WAN1.  This will be unaffected by outgoing HTTP and HTTPS traffic, so there's no reason not to load-balance the outgoing side - thus no reason to do any protocol binding on these protocols (at least as I understand it).

>> One more question..... in the firewall's tap SECURITY under the section firewall I opened the ports for HTTP, HTTPS, AND SMTP........ Should I changed anything in here?

If I understand this correctly, this means that you have internal web and mail servers, and in this section you have forwarded the appropriate ports through the firewall from WAN1 to these servers.  Assuming I've understood correctly, this sounds right.

>> What do you think? do think the way I did is wrong or might mess things up eve though is working?

Assuming the PingPlotter test shows that the load balancing is working, I think you're good to go!

:)
0
 
hugonietoAuthor Commented:
Thanks TekServer!!!

 I think we spoke to soon!! I'm able to have internet from both ISPs and PingPlotter shows that load balancing is working fine!! However, the email part is not working very well...... we get emails without any problems!!! we send emails out and they go but then we send again and they don't go out! We get an email with an error saying "mx.google.com gave this error: The IP you're using to send mail is not authorized to send email directly to our servers" of course this is because emails are trying to go out through the comcast business IP gateway which has a dynamic IP. The thing is that it kind switch over between the WAN1 and WAN2 when sending emails out! and that's why sometimes we are able to send emails out and sometimes not...... even though I set the Protocol Binding section to take the SMTP services through our WAN1 which has a static IP to avoid this kind of problems! What Im doing wrong! I'm sure I'm doing something wrong on the firewall!!
0
 
TekServerCommented:
Well, the first thing I would do is double- and triple-check all your settings on the Protocol Binding page; in particular, the Source Network address (or range).

Next, I would double check the settings your mail server.  If you have an anti-spam appliance like an IronPort or a Barracuda Spam Firewall, your mail server may be sending mail to it first to be filtered and then sent out; if this is the case you'll need to adjust your Source Network settings to the IP address of the anti-spam appliance rather than the mail server.  Also, if your mail server is configured for SMTPS, you'll need to add another Protocol Binding entry for this protocol (port 465).  Similarly, if your mail server is using the Message Submission port (587) instead of SMTP (25) you may need to alter your existing Protocol Binding or add a new one.

If none of that fixes the problem, post some screenshots of the Protocol Binding page and the error messages you're receiving, and I'll see if I can spot something there.

:)
0
 
PerarduaadastraCommented:
It does sound very much like a protocol binding configuration issue. As Tekserver says, we need to see how your SMTP traffic has been configured to help further.
0
 
hugonietoAuthor Commented:
Thank you guys!

Here are some pictures from the protocol binding section..... I set up the single IP option for the destination network for WAN1 and WAN2..... The IP is the static IP from my other ISP set up on the WAN1 port.
WAN1-PRTOCOL-BINDING.png
WAN2-PRTOCOL-BINDING.png
0
 
PerarduaadastraCommented:
Well, you seem to have bound SMTP to both WAN1 and WAN2... you want to bind it to WAN1 only. This way, your SMTP traffic will always go out on WAN1, and never on WAN2, which is what you want. Delete the SMTP binding for WAN2, and the SMTP going out on that port will stop.
0
 
TekServerCommented:
I see the problem. (I'm sure Perarduaadastra does too; let's see if I can post first!)
;)

First, WAN2 doesn't need any Protocol Binding; that part can be removed.

Second, on WAN1, the Protocol Binding is specifying the WAN connection to use for outbound traffic, so you need to specify a Source Network, NOT a Destination Network.  Basically, you are telling the device that you want SMTP traffic going out from your mail server to go out through WAN1.  You don't care where that SMTP traffic is going.

So edit the existing Protocol Binding on WAN1, change the Destination Network to ANY, and change the Source Network to the (internal) IP address of your mail server.

:)

[EDIT] Well, Perarduaadastra beat me, but I still caught something (s)he missed.  ;)
0
 
PerarduaadastraCommented:
@Tekserver: I'd seen that too, but only after I posted! Still, hugonieto should be sorted now.
0
 
hugonietoAuthor Commented:
Thank you so much guys!!!!!! It looks that it is working now!! I have been testing it by sending emails out for the last 10 minutes and they go out!!! THANK YOU!! I really appreciate all the help!!
0
 
TekServerCommented:
Thanks, glad we could help!

:)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 10
  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now