I have run into an unusual configuration. Is it possible to configure an RV180 with Comcast's Ethernet IP assignments as a Layer 3 device?
Here's why this is a bit tricky:
Comcast provides a P2P IP address with it's own subnet and gateway that I have to set as my WAN to get any service. They also provide "customer usable" static IP block that use a different subnet than the provided P2P WAN block, hence the requirement that a router or savvy layer 3 device be configured to route the static IPs through to the P2P WAN.
Put another way, a P2P /30 block needs to be routed to a /29 block that holds the public static IPs.
I've tested an RV180 and the most obvious configurations to do this aren't passing static IPs from WAN to the LAN though I haven't completely exhausted every approach yet. Still, there is very little information on doing this specifically other than involving one-to-one NAT or a DMZ neither of which seems to be working for me.
It could be a combination of things such as which Routing mode: (Gateway) NAT or Router? Would either of these modes work with one-to-one NAT the same way? Is it a combination of DMZ, a Routing Mode as well?
Any insight would be appreciated.
I'm most familiar with Sonicwall devices, but even then I've never had to route anything this way with static IPs. Until now our ISP always provided the Layer 3 device.
Here's more specifics after some more testing:
If the RV180 is set to one-to-one NAT (any service) using the provided Comcast public IPs to my static assigned LAN IPs, my test PC reports the correct public static IP address back to the Internet using a "what's my ip" search engine query. However with these settings I cannot ping this same static IP from the outside. Setting additional (redundant) firewall DNAT rules for any service pointing the WAN to the DNAT IP in addition to One-to-one NAT makes no difference.
Other posts on this community suggest that either one-to-one NAT or a DNAT firewall rule will do the same thing with the DNAT option being preferred for fine access rule control. I tried removing one-to-one NAT and setting both incoming and outgoing DNAT rules. My public static IP still cannot be pinged and my static assigned test PC does not report the proper static IP to the Internet (e.g. "what's my ip"). I might have missed something else in this configuration as well.
So to date I've yet to get the Comcast public IPs that are routed through our P2P WAN IP to talk to the LAN on the RV180. My takeaway so far is that even with one-to-one NAT there is something missing even though one-to-one NAT should dump all services/ports between the WAN and LAN with the correct IP address. I'm going to go over my setups again and try some more things, but it is beginning to seem like this particular configuration is a no-go and I should go for another router. Comcast suggests a "brown box" or commercial grade device (
To allow ping reply from internet, go to Firewall-> Attack Prevention: Respond to Ping on WAN (Internet)
One-to-One NAT traffic is firewalled. To allow all inbound traffic, create an Access Rule for any service. Select Use Other WAN (Internet) IP Address at the bottom and enter the WAN IP that is bound to the LAN server.
Thanks for the clarification on One-to-One NAT still requiring access rules. It would seem so anyway, but I've read enough other threads now that I couldn't be sure what to expect any more.
I'm still not getting a successful ping from the outside or any indication that incoming traffic is going where it should via One-to-One NAT.
I have a theory that somehow Comcast hasn't properly enabled our static IPs although they can be traced and are seen by the Internet. Testing that is going to be difficult without getting either the RV180 or any other router working as expected.
The easiest way to test additional WAN IPs is to use one of them as the static WAN IP of the router. If it fails, there is something wrong at the ISP side.
That's the odd part of the Comcast Business Ethernet Fiber configuration requirement; only the P2P static IP will work for the WAN and it is a different subnet from the "customer usables" public block. Comcast is routing our public block through the P2P IP, however we have to route that to our own gateway since the provided P2P gateway is on a different subnet.
The best way to present this is to provide an example of the addresses provided:
Assign to your Layer 3 device:
P2P IP: 000.111.222.96/30
Customer Layer 3 (.98)
P2P Subnet: 255.255.255.252
Customer Allocation: 000.111.222.104/29
Customer Useable IP’s: 000.111.222.105 thru .110
Customer Allocation Subnet: 255.255.255.248
The P2P block is the only useable WAN gateway, so we must route the RV180's LAN to that while mapping the proper "Customer Usable" block through the RV180.
I could even be on the wrong track using One-to-One NAT; Perhaps static routes are required with Routing Mode set to "Router" instead of "Gateway (NAT)"?
That is odd. Normally when we see a block of WAN IPs, they are consecutive. The first one goes on the WAN port and the rest use One-to-One NAT.
You may be right about using Router Mode and static routes.
My first test setups had Routing Mode set to "Routing" with static routes set and with the static IPs on the LAN. I had no success with that though I was suspicious that I hadn't covered all the settings properly. After reading up on similar configurations it seemed that DNAT/One-to-One was a good approach to try. Overall I'm not experienced building static routes and the RV180 settings don't quite align with most Cisco-related static routing tutorials which are written for the "big-boy" routers and usually involve command-line statements. But it's worth another shot.
I'll add that I ended up on the NAT side of things based on this post:
Also, it may help the discussion to share his visual topology example ripped off from a Comcast help discussion elsewhere as it isn't far from what we'd want to set the RV180 to do:
After further testing and in the interest of keeping this forum useful I would like to return to my original question regarding whether the RV-180 is a good fit for a small business layer 3 router when used with Comcast's slightly unusual static IP requirement:
The conclusion is no, the RV-180 is not a good solution as a layer 3 router for Comcast Business Ethernet when mulitple public IP addresses are needed. It will work fine in most other common NAT scenarios, but not for one involving Comcast Business.
Suggested alternatives would be an Adtran or Cisco 891 series device that is more specific to routing only.