We have just signed up for comcast business with 5 static IPs and have an internal private network. We are a small business and I am hoping that we can purchase a router/firewall that will simply allow me to specify some external IP/port "pairs" and have them routed to internal IP/Port "pairs".

Our old T1 modem (netopia) would do this quite easily and I didn't think it would be an issue. Now I'm looking at Firewalls etc. online and I can't seem to find something that will easily do this. Can someone recommend a simple (hopefully not too expensive) solution?

  • 21
  • 1
  • 2
  • What cable modem did Comcast give you? It should already be capable of handling this situation. – Michael Hampton Oct 19 '12 at 15:52
  • It is a SMCD3G. I did as much googling as I could and talked to tech support 4 times! The modem simply cannot do it. I was surprised. What it can do is something called 1 to 1 NAT. So it will route all traffic from one external address to one internal. This is close to what I need but sucks for 2 reasons: 1) I have to use the static IP for a single machine where I should be able to port say FTP traffic to one internal machine and HTTP to another (saving 1 static address); and 2) I lose all the protection because every port is then visible externally, including a SQL Server etc. – user141856 Oct 19 '12 at 20:26
  • Argh. I had the older version of that thing. It was a total piece of crap as a router, and from browsing the manual for the new version, it seems little has changed. And worst of all, it still doesn't seem to support IPv6, which you should be getting within the next year or so (if not already). – Michael Hampton Oct 19 '12 at 20:32
  • Are you talking about having multiple devices on your internal network that each need their own public IP? – DanBig Oct 22 '12 at 19:19
  • Each device needn't have it's own IP. I really just use a few things: an ftp on one machine, http on two others and vpn on a fourth. – user141856 Oct 24 '12 at 21:16

4 Answers4


I solved a similar situation a while back with a small Linux server configured as a bridging firewall behind the Comcast router - two NICs, one connected directly to the router, the other to my internal network. That way I was able to filter traffic after the Comcast router had done the NAT, without having to do another NAT step.

Here's a good doc on setting up a bridging firewall under Debian, but any major distro should have the modules and tools you need: http://www.annahegedus.com/tutorials/60-bridge-firewall

  • 389
  • 2
  • 6
  • Thanks for this response. It is probably what I *should* do. What I want to do is: (1) spend $300 on some kind of closed box; (2) plug it in; (3) spend 20 minutes to configure it. – user141856 Oct 24 '12 at 20:50

You want a firewall that will do 1-to-1 NAT. I use Watchguard XTM 2 and 3 devices for this. You are not exposing all ports, as it is a two part process. The first part is setting up the SNAT, the public to the private. You then have to create a firewall rule that specifies what traffic can traverse that SNAT rule. This scenario is useful for multiple servers that all need to serve 80/443 for instance.

If you have one server that needs to serve 80/443 and another that needs to server FTP, you can setup NAT rules with just one public IP to serve both internal servers, since the ports are different.

  • 11,393
  • 1
  • 28
  • 53
  • The cable modem itself does 1-to-1 NAT. I get the impression that he doesn't _want_ to use 1-to-1 NAT, and I can't say I blame him. – Michael Hampton Oct 22 '12 at 19:27
  • 1to1 is fine when used correctly. – DanBig Oct 22 '12 at 19:27
  • I also feel like i'm still a bit unclear on what he is actually asking about. – DanBig Oct 22 '12 at 19:28
  • 1 to 1 on the SMC box that I have is not what I want. Even without the issue of saving static IP addresses, it is just not acceptable to have every port visible to the outside world. Note that the SMC firewall settings do not work in conjunction with 1 to 1 NAT. – user141856 Oct 24 '12 at 20:44
  • Sounds like you need a more flexible appliance that will do 1to1 in conjunction with a firewall policy, that's why i suggested the Watchguard devices. – DanBig Oct 24 '12 at 20:45

Depending on your requirements you can do what you want with anything from a low end home office product to a high end enterprise product. There are literally thousands of products out there that will meet your needs and all of them have their own fan bases. Your best bet is to figure out your budget for the product and then see what you can afford. I'm a fan of the Watchguard product line personally, specifically for you I'd likely recommend an XTM3 product, but that might be outside your budget.

  • 2,027
  • 16
  • 22

I had the same problem, but it turns out there IS a solution. This article was the missing link for me. It turns out the be very simple, and the modem is fully equipped to do it.

The crux is that Comcast assigns the static IP on the LAN side (i.e. the internal network), not the WAN side. So ask Comcast for what your block of static IP's is, then configure the machine you want on this IP with the IP and the subnet mask from the router and use the router's IP as gateway setting for the machine.

Then all you have to do is configure firewall rules under Firewall -> Port Configuration -> True Static IP Port Mgmt, if you want the firewall. Or, if you don't want it, check the box "disable firewall for True Static IP Subnet Only" on the first firewall page.

See the article for more details and screenshots.