There is a ton of misinformation on the internet about how to properly do this:
The bottom line is, there is no way to put this particular modem into conventional passthrough (bridge) mode where it will provide a routable public IP on the LAN ports. I have talked to customer service reps and scoured the internet, and it just doesn’t seem possible. This is an unfortunate oversight but THERE IS A SOLID WORKAROUND and it doesn’t involve IP layer gymnastics that many suggest. This configuration assumes you want to use another device as your router, since there is not really a point to bridge mode unless this is your configuration. Using this method, you will be able to open ports on your router normally which is the biggest problem of not having bridge mode on your modem.
The solution is quite simple but unintuitive. Use DMZ settings:
Use the modem’s DMZ setting. The “DMZ” is essentially an address that your modem will send any packets it doesn’t know how to route. Since we want to get around the network address translation happening on the modem this is exactly what we want. The double NAT will still be happening, but it won’t matter if we ignore it by using the DMZ to direct all unroutable packets at the router/firewall.
How do I set up a DMZ on the modem?
To do this, disable DHCP on the modem and setup a DMZ to the router you want acting as your firewall. The root of the problem is not that your local firewall doesn’t receive a publicly routable IP from Comcast, the issue is that you are behind double NAT
When you do this, the Comcast router will redirect all unsolicited packets to your router, essentially eliminating the Double NAT. Yes, you still have devices on two subnets, but it doesn’t matter because all “unknown destination” packets from the modem will be forwarded to your firewall/router instead of discarded.
This means you can open ports normally on your router without dealing with the modem. You will need to manually configure DNS since you aren’t using any assigned IP’s from the modem, but this is a small price to pay. It’s also very important to setup static IP address between the modem and your router/firewall because the DMZ can only be set to a single IP address. If the IP of your router changes when a DHCP lease expires everything will stop working.
More Detailed steps:
I don’t have one of these modems handy, so sorry no screenshots, but here is a rough guide on how to do this.
- Log into the modem. Default IP address is usually 10.1.10.1 with comcast, login is cusadmin password highspeed. If you have a router or wireless access point between the modem and your machine you may need to connect direct to it.
- Usually on the LAN configuration screen you will see settings for DHCP and static IP address. You want DHCP OFF for this to work reliably. Also, make sure the modem is set to have a static IP address, a good choice is 10.1.10.1 since that’s usually default anyways. Beware that once DHCP is off you may have to manually set an IP address on the machine you’re connecting with. This is pretty easy and covered well in other places so google it before you do this and possibly lose internet!
- You will also see configuration somewhere on most modems for Firewall/DDOS protection and similar. To bridge through to another router it’s usually a good idea to turn all of these off.
- Setup the router. Before setting the DMZ on the modem, you need to login to the device you want to use as a router and set a static WAN IP address on the same subnet you used for the modem lan settings. If you used 10.1.10.1 on the modem 10.1.10.2 should work fine here. You will need to manually set the DNS server on the WAN as well, I recommend googling you ISP’s DNS address or using Googles, 220.127.116.11 . Make sure DHCP IS ON on this router.
- Turn on the DMZ. Log back into the modem, do back to network settings. You should see a setting for DMZ on most modems. You want to set this to the IP address you just picked for your router.
- Done. You should be rid of the annoyance of double NAT now. This means you can either turn on uPNP on your router, or open ports on it and have direct internet access.
Want to test the setup without setting up a server? Easiest way i’ve found is as follows(still a bit lengthly). Download HFS(Http File Server) and run it on your machine. It will tell you what port it’s running on. Go into your router and forward this port to your machine like you normally would when opening a port. Then, go to www.grc.com and use his shields-up tool. Run a custom port probe, type whatever port your server is running on and you forwarded, and it should come back as status OPEN.