> -----Original Message-----
> From: list-boun...@lists.pfsense.org [mailto:list-
> boun...@lists.pfsense.org] On Behalf Of Jason T. Slack-Moehrle
> Sent: Friday, February 10, 2012 1:51 PM
> To: pfSense support and discussion
> Subject: Re: [pfSense] pfSense help with creating rules
>
> HI,
> > Wait, are you saying I could just pay Comcast for 14 addresses and
> create a routed subnet myself and not have them do it?
> >
> > Or could I just have them create for me a 2nd IP block of 1 IP,
> load that on the modem with my block of 5 and somehow created a
> routed subnet from the /31 to my /29 without them? so that pfSense
> is setup the correct way?
>
> OK, Comcast called me back and they are saying for me to:
>
> 1. load my /29 on the WAN port of the pfsense box 2. Create a vlan
> for something like 10.0.0.x 3. Create a 1:1 NAT for the public IP's
> in the /29 to a 10.0.0.x 4. Assign my servers a 10.0.0.x address,
> etc
>
> They say they cannot create a routed subnet for me because the
> modems they use cannot handle loading of multiple IP blocks.
>
> Is this viable?
>
> -Jason
So, as expected, they recommend port forwarding. (1:1 NAT is a special
case of port forwarding, or vice-versa depending on how you want to look
at it.)
The excuse about the modem not handling it is complete BS; what they
really mean is "we don't have an operational procedure to support this,
and we don't feel like developing one, so we'll make up a
plausible-sounding technical reason".
They'll be using a Cisco uBR7206 at the very minimum to handle HFC
routing; it might not be Cisco in your area, or it might not be a uBR
platform, but your next-hop router WILL be capable enough to handle a
single static route. All the modem has to do is its traditional function
of bridging a single MAC address back and forth over the wire. Depending
on the modem, they *may* have to turn off some of the IP security features
("snooping") in the modem.
However, there's nothing that says you have the "right" to a
properly-routed subnet - Comcast has no obligation whatsoever to provide
this service to you at any price. It doesn't really matter, as you have
two other viable options available to you (NAT and bridging, or both if
you want a traditional DMZ).
The other thing is - even if you get a routed subnet out of Comcast, do
you really want to be the guinea pig in your operating territory? Relying
on something where you're the only customer affected if something goes
wrong is a good way to garner a lot of needless downtime. If you're using
the "regular" service, and something goes wrong, you'll be back in
business as soon as everyone else is - which is usually fairly quickly,
because HFC network outages tend to be all-or-nothing events.
Standardization would be, IMHO, worth the extra complexity and/or effort.
This is the way I set up any firewall on a cable modem nowadays; even DSL
providers are starting to adopt this model for "small business" customers
(i.e. /28 or smaller) in some cases.
Or, in short: yes, just go with what Comcast wants you to do. You can
create a separate DMZ if you want to keep the servers off your LAN, if
necessary. It's not usually necessary unless you're running a public
website. (Which, BTW, might violate your Comcast Terms of Service - check
to be sure. No sense getting shut down by your ISP for something
avoidable.)
-Adam Thompson
athom...@athompso.net
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
