Comcast SMC 8014 Modem/Router Port Forwarding Solution
This TZO FAQ covers the SMC 8014 issued by Comcast. It may also apply to 'other' hybrid modem/routers where the Internet Service Provider indicates the modem/router device CAN NOT be put into 'bridge mode'.
For documentation purposes, this FAQ focuses on "double NAT port forwarding" needed by some modems which cannot run in bridge mode. This FAQ therefore assumes some level of experience with previous DVR setup and network port Port Forwarding. First time installers who are trying to solve this problem will benefit from a review of our other DVR setup guides to gain additional setup detail or insight.
Background - Reasons for Bridge Mode
Common reasons for putting an ISP supplied modem/router into bridge mode are:
- The ISP supplied router lacks a DDNS Update Client for TZO, and there is no PC onsite (or at least none which remains powered on). You will use a store-bought router (such as Linksys) to update your TZO account.
- Any other reason (such as a wireless requirement) for inserting your own router behind the ISP controlled router/modem. By putting your ISP-provided router/modem into bridge mode, you simplify your network configuration for port forwarding. Since bridge mode is NOT an option on the Comcast-provided SMC 8014, we have documented an alternate solution.>/li>
NOTE: Many older routers (some of which may still be sold) included TZO Updater Clients (DDNS) which could function only if the router held the true WAN IP. Specifically, these routers assume an environment where the modem is in bridge mode, and so they 'monitor' the Internet IP address by monitoring their hardware device IP. These older router DDNS clients would fail to update DNS accounts because they would basically only "see" an unchanging NAT (LAN IP) address. Newer TZO Updater clients (such as found on the Linksys WRT54G) will do an IP address "check IP" off the TZO network every 10 minutes and so do not require control of the Internet connection (do not require bridge mode).
How Bridge Mode Works
Routers (or modem/router hybrid devices) control 2 IP addresses: the "outside" or WAN IP, and an inside Local Area Network (or LAN IP).
When not in bridge mode (which is the default), these devices will hold the Internet IP address on the WAN port and assign the LAN port a private "NAT" address (such as 10.1.10.1).
When in bridge mode, hybrid modem/router devices will "pass through" the true Internet address to the LAN port. The Comcast SMC 8014 does not support bridge mode.
The Solution - forwarding twice
This FAQ assumes some prior administrators/installer experience with port forwarding (and basic troubleshooting); other groups may successfully follow the FAQ or require assistance from Support.
The type of solution is a "port forward" through a "double NAT".
You will need to make the inside (the store bought) router operate on a STATIC LAN IP, then restart everything and test that the Internet connection still works. See table below for example.
When testing the change made to the internal (store bought) router, the most accurate test would be to visit a website you have not yet opened today (to avoid browser cache effects). At no point in this reconfiguration will you suffer more than a momentary loss in Internet, so keep test after each change and keep notes of your progress.
Below is a an example network installation, using a DVR. Other devices or PCs would function similarly.
---[10.1.10.x net]--[192.168.0.x net]
- Fix the DVR onto a static LAN address
For this step, you should have already reviewed one of the TZO Tutorials for DVRs. This guide assumes you have done so, and already set your DVR on a STATIC LAN IP, and you can (locally) view the DVR using the local address.
For purposes of documentation, we will use the example network 192.168.0.x and a local STATIC DVR IP address of 192.168.0.200.
Again, the other DVR guides are assumed reading. Do not continue if your DVR is still in the factory default "DHCP" setup as you may encounter problems after you complete the installation.
- Discover the ROUTER's inside LAN IP address
Login to the router using the router's LAN IP. The LAN-side address of your router will be the same as your laptop's 'Gateway Address'. For documentation purposes we will use http://192.168.0.1/ (but it could also be http://192.168.1.1/).
Once you are logged in, go to the router's STATUS page and look for a setting with the the title WAN, Internet, or Connection IP Address. This value might contain a value such as 10.1.10.67. This is the DHCP (non-static) IP that the router obtained from the MODEM. Next to this will be the Connection Gateway Address, and the DNS servers. Write down ALL of these fields and their values before you continue.
- Change the ROUTER to use a STATIC LAN IP
This change is insurance against a common installation problem which occurs well after installation was completed. If the internal ROUTER gets it's network address using DHCP, then the potential exists the router may change addresses on you. If you are long-distance from the network, that would be a major inconvenience to fix.
Basically you want to assign a STATIC internal address to the router, but that address must make sense for your network. Because the modem has already been given an address 10.1.10.67, we can assume that the upstream device (MODEM) is offering DHCP in the range of 10.1.10.50 through 10.1.10.100. We do not actually know this without consulting the MODEM's network configuration screen but this is a generally safe assumption based on the current DHCP address. So we want to assign the ROUTER an IP that is OUTSIDE the DHCP range. 10.1.10.200 is logical here.
In the ROUTER's Setup area, locate where the Connection settings are. If unsure, check with your router documentation or your router's Support. You are looking for the current setting of DHCP as pertaining to the router's upstream connection (NOT the LAN side of things). Change the ROUTER to use a STATIC Connection IP of 10.1.10.200. For Gateway, enter the same Gateway you noted before (from the beginning of Step 1). For DNS, you should not need to change anything (the router should discover the DNS servers automatically..)
Now restart BOTH the modem and the router. Wait a moment, and verify you can still reach the outside Internet. If you can not, retrace your steps in the router. Most likely causes for failure are typos, or perhaps the ROUTER needs to be given the DNS servers (it's best not to do this unless required, so you were not instructed to enter them before. In some cases it is unavoidable however.). OK, great... the ROUTER is on a static LAN IP. You're almost done...
- Login to the Modem/router device:
Using the Gateway IP noted in the ROUTER, put this address in your browser's Address location bar: http://10.1.10.1/. If your modem/router prompts for a password, quickly check with your ISP support (or guess, sometimes it is admin/password by default).
- In the modem/router, look for the Port Forwarding section.
For our documentation purposes, the example "device" or "network server" we will use is a Dedicated Micros camera DVR which requires port 8234. (If you have a different device or server, simply note and use what port your server requires instead).
In the modem/router's Port Forwarding screen, create a forwarding rule that forwards port 8234, selecting both TCP and UDP. Now you must enter the address you forward that port TO -- that would be 10.1.10.200. (The reason you can not forward to the DVR IP "directly" from the MODEM is because the DVR is hidden behind a second router, on a different subnet. You must relay the connection from one network to the other.)
- Port forward configuration on the internal ROUTER:
Use your browser to open the router's management, http://192.168.0.1/ (or the IP your router uses), then and go to Port Forwarding (sometimes this is under Applications and Gaming). Ignore any settings about "UPnP forwarding" (similar title, wrong page).
- Now you will forward "8234" (or other required port), directing it "to" the DVR's LAN IP. In a previous step we know the DVR's LAN IP was 192.168.0.200. You are done setup, now you can ask someone remote to do a viewing test! For testing purposes, have your remote assistant connect to your DVR using your TZO Name -and- your known WAN IP address (look it up on the MODEM's STATUS page, or test your WAN IP by visiting http://test.tzo.com/)