Network Topology for Home Business on Comcast Biz Internet

macrosoft · Aug 28, 2015

Hi there!

I was hoping to consult ya'll regarding the network topology for my home business, running on comcast business internet with 5 static-ip addresses.

The first image below reflects my current setup but it doesn't work for the WAN side of things, and it's my understanding that NAT is not necessarily the best approach. The second image is the only alternative that I can think of. Are the firewall capabilities (summarized below) built into the comcast modem sufficient, or could someone recommend an affordable off the shelf appliance to do this?

The Comcast IP Gateway's firewall offers:
Stateful packet inspection (SPI)
Port forwarding (up to 35 forwards)
Port blocking
Port triggering (up to 50)
Keyword blocking (up to 50)

Any insight would be greatly appreciated! Thanks for stopping by!

Current Setup:

Alternative Setup

bill001g · Aug 28, 2015

A 1-1 nat does not have as much downside as a many-1 nat. Sometime though the server really wants to have the ip for application reasons.

It really depends on the capability of your internet facing device. Most time a commercial connection is put in they give a single ip for your router/firewall and then route the subnet to that single ip. That allows you to put that subnet on your lan or do nat or whatever you need.

When you are in effect running a modem to connect to the ISP (like a cable modem) and they just allow mulitple devices to connect that gets a little messy to get connected. You would put a switch into the modem and then connect all the devices. The huge downside to this is it makes it very hard to use a single firewall to control all these. You end up with your servers directly connected to the internet with no protection.

Its hard to say I would see if they will give you a more standard install and actually route a subnet it makes life much easier.

Otherwise it will greatly depend on your router/firewall and what abilities it has to accept multiple ip addresses. I know for example the ATT uverse business offering is a huge pain to get installed in a way that allows you to assign ips directly to the machine.

macrosoft · Aug 28, 2015

Hey bill001g - thanks for stopping by and chiming in!

Could you elaborate on what routing a subnet might look like with respect to the network diagram? It seems like NAT or static routing might fit this description of subnet routing.

Here's Comcast's recommendation for a single static IP.

Comcast-Business-Class-Static-IP-Network-Diagram-for-Pseudo-Bridge-Mode.jpg

bill001g · Aug 28, 2015

5 is not a standard number of ip so its hard to say what they are up to. A /29 gives 6 usable.

So I will assume a commercial router...ie it can actually route and nat is optional and not the primary feature.

My crap diagram.

ISP----.1 x.x.x.?/30---.2 wan----local router---lan ---y.y.y.x/29------devices y.y.y.?

The ISP would route y.y.y.?/29 to x.x.x.2 Your router would assign some address from this subnet to its lan. The end device would be assigned ip within the /29 pointing to the routers address...ie y.y.y.x in this example. There is no nat involved in this type of install and is how most large commercial installs are done. In most case the device I have labled local router is actually a firewall but any device that can filter traffic technically is a firewall.

macrosoft · Aug 28, 2015

I whipped up the following diagram as my interpretation to your advice Bill001g. What I also hear you saying is that the Gateway modem/router should be handling all the dirty work going from public to private ip, no special configurations necessary (e.g. NAT)? Is this a fair interpretation?

bill001g · Aug 28, 2015

Not if you have the ip assigned as 10.x.x.x address on the internet network then you must nat them. You would need to really put the ip on the end devices if you do not want to nat.

Now there is a another fairly uncommon method used. What you can do is assign both the 10.x.x.x address and the real address the server. The server must support the concept of loopback addresses. So say you have address 1.2.3.2 and you want to assign it to 10.0.0.2. What you can do is put in a static router for a 1.2.3.2/32 pointing to 10.0.0.2. The server would be responsible for sending traffic with loopback address rather than its ethernet port.

Kewlx25 · Aug 28, 2015

I can see a usage for 2-3 LAN networks

1) DMZ for your public facing servers, Not a true DMZ because you should never make a server wide open to the Internet, but they're public facing.
2) Internal only network for your NAS, wifi, and other client devices.

2 can possibly be broken into two more networks

2a) Internet network for hardwired devices
2b) wifi with limited access to the rest of the network with a possible VPN service to gain full internal access as if via a network cable.

macrosoft · Aug 28, 2015

Ok, I think I'm starting to understand.

I'd like to emulate the strategy most large commercial installs follow, as per your original advice. It sounds to me like this is more the setup you are describing *crossing fingers*

bill001g · Aug 28, 2015

That will work. Now can get your router/firewall actually do it. A commercial device this would be simple. Even a consumer router with dd-wrt can be made to work a little confusing at first using iptables command but it can be done. Now the problem will be getting the ISP to route you the IP or at least give them to in a way you can accomplish this.

macrosoft · Aug 28, 2015

Kewlx25,

It's great to hear someone put those words out. Thank you for chiming in!

macrosoft · Aug 28, 2015

That does appear to work. Thank you for all your insight Bill!

I thought I was having some domain name mapping issues but they seem to have all but evaporated. I hope it stays that way.

Are there any specific firewall features I should hone in on or that you'd recommend closer examination of?

Kewlx25 · Aug 29, 2015

Overall the last one looks about correct. Not sure about AD, DHCP and DNS being in public/DMZ network, but I know you were doing a quick mock up.

macrosoft · Aug 29, 2015

Hey Kewlx25!

Would you recommend moving the PDC(DHCP/DNS/AD) to the LAN segment? How do I provide nameserver resolution on the WAN side for the web-server? Should I just add a DNS server to the web-server or should this be performed by a dedicated system?

Thanks again for your feedback Kewlx25. I know this to be an important nuance in the security of my home network, and I'd like to make sure everything is located where it should be.

Search

Network Topology for Home Business on Comcast Biz Internet

macrosoft

Reputable

bill001g

bill001g

Titan

macrosoft

Reputable

bill001g

Titan

macrosoft

Reputable

bill001g

Titan

Kewlx25

Distinguished

macrosoft

Reputable

bill001g

Titan

macrosoft

Reputable

macrosoft

Reputable

Kewlx25

Distinguished

macrosoft

Reputable

TRENDING THREADS

Latest posts

Moderators online

Share this page