Xfinity gateway somehow running out of DHCP addresses?

[brandonkick]

So... small business. They have a comcast business gateway, standard 4 ethernet port with a 2.4ghz and 5ghz wifi radios. They have a total of three switches.

Comcast Gateway feeds one 48 port switch, which in turn feeds most desktop computers directly, but does have a lead that goes to a 8 port switch for one "office" and another 4 port switch in another office.


Total of 15 desktop computers, 7 printers and maybe as many as 15 more cell phones that would be joined to the network. Yet it appears the network is running out of network addresses. Randomly computers won't be able to get online, and I find they are given an IP address WAYY out of range. Standard default gateway is 10.1.10.1 and DHCP pool ranges from 10.1.10.100 to 10.1.10.240 with a subnet mask of 255.255.255.0

Should be plenty of addresses, but eventually machines will start acting up. I do an ipconfig/all and the IP they are pulling is like 169.192.245.27... no where even close. I noticed too that the subnet mask goes to 255.255.0.0

If I manually fix the machines IP address to a valid, in range address.. it works. I started the pool at 100 so I would have plenty of addresses to hardware things. I have the two synology units on .15 .16 .17 and .18 for example.... CAD plotter on .63 / laser printer on .64 and a desktop hosting quickbooks set to .55 with


First thing, is that I wasted a TON of time with comcast tech support. They told me, I have "too many devices connected" for the 150MB speed package, and actually suggested removing printers from the network to ease "congestion". Also tried to sell me a higher speed package. I iterated to her many times, the internet wasn't "slow" and most users bandwith needs were like so minimal that 3G cellular would do. Obviously didn't know what DHCP meant, or my IP address issues... more concerning was they told me there is no "higher level tech support" available, and that she was the only one who could help me (lets reboot the modem, lets check the logs, hmm... let me send a new signal) beyond that they have a tech coming tomorrow, who will likely not know anything beyond what this girl did in terms of networking. I refuse to believe they have no "L2" support (I think that is what it used to be called)....

I want to know how to tell if the pool is used up, and why. I do believe this is what is happening, but have no idea why. There aren't nearly enough devices for it to make sense. I was thinking of expanding the DHCP pool even more... but the pool should be plenty wide as it is.

Other tid bits that may help, all switches are unmanaged. There are two other devices, a unifi AP and a linksys access point, on the network. Neither doing DHCP... but all affected machines are wired anyways.

 

[Raymond Payne]

I’m not familiar with the Comcast gateway. Almost always you should look at replacing an all in one device with something you can manage.

Only talking DHCP:
First,you should be able to assign reservations for all the stable devices in the network. The 15 PCs, 7 printers, and 15 cell phones would always get their IP. Only guest devices would run out.
Second, you should be able to set your lease time so devices that have left the network aren’t holding IPs long enough for you to run out.
Third, if you can see the active leases in your gateway, get anything on the network so you have visibility. If they are low enough budget to not have a real firewall even going to a FingBox to give some insight may help. Not that I usually recommend FingBox for more than home users, you have to be able to tell what is going on. You can’t manage something you can’t measure.

Ray

 

[YeOldeStonecat]

We always put our own routers in place at our clients.....as the ISP provided CPE usually sucks. Have your standard couple of routers that you sell/support...that are good and configurable, and remotely/centrally managed by you. So we reconfigure the ISP provided CPE to either run in bridged mode, or..as in the case with the Comcast gateways, there's a special firewall setting to enable..."Disable Firewall for True Static IP Subnet Only (as well as disabled gateway smart packet detection..right under the above).

Comcast is the most common ISP we have at our clients, we've been working with hundreds of these gateways for years...they've pretty much been the same for over 15 years (the GUI inside). Same default username/password to log in... cusadmin and highspeed.

So now you reconfigure your routers WAN port with one of the static IPs from Comcast....and the gateway is the public IP that the Comcast gateway has. So for example, you get a static IP of 23.24.25.26...you'll generally find the gateway itself pulls the service IP of 23.24.25.27..so you set that for the gateway of your routers WAN port.

So now the Comcast gateway is fully passing the static IP(s) to your routers WAN port(s). You can leave DHCP enabled for the Comcast private network inside the gateway, the 10.1.10.0/24 network. We actually use that for a few things sometimes like guest networks, or the management port for their VoIP provider. This way you sorta have a nice little separate network if you need.

These newer models come with built in wireless now...and I always disable that..both radios..inside the web UI. And I disable the xfinity SSID broadcast (has to be done from the account login at comcasts website...not on the gateway).

So..the 169.254.xxx.xxx IP address you see is called an "APIPA address"...it's a self assigned IP address that Windows assigns itself it if cannot contact (or get an answer from) a DHCP service on the network during its ARP. Windows can actually autoconfigure itself an APIPA address...first running some pings within that range to see if others are in that range on the network...so it will not have an IP conflict with another APIPA addressed computer..and they can actually communicate. Yup...you can take a dozen or so Windows computers..plug them into a switch..without a DHCP service, and they can create their own "workgroup" and talk to each other with APIPA addresses. But..when we see an APIPA address, we know something is wrong with the network as we always deal with managed networks ..that will include a DHCP service..either from a server or a router in most cases.

As to the cause of your issue...some quick thoughts...as having roughly 25 -30 devices on a network with a range of 140 addresses should not run out.

*DHCP leases are too long...if you have many guest devices coming and going

*Some problem with the switches...perhaps a "loop" is happening, or one of the switches doesn't mix well with the others..perhaps STP, or a VLAN quirk. When dealing with mix matched unmanaged or even managed switches...there's always a possibility of some quirk happening, can be time consuming to find.

*Ensure no other routers or devices have been plugged into the network by end users. Sometimes some end users will "think" they know how to network..and want wireless at one end of the building, and take some home grade router like a Stinksys or Nutgear or DStink..and plug it into the network...backwards. (LAN side in). Now you have another DHCP service running on the network, and with some devices..they will shut down the DHCP service if they detect another rogue DHCP service on the network. Or..possibly flip on some DHCP guarding that is not properly configured.

If you're stuck having to use the Comcast gateway as the only router/firewall (client won't let you put in your own)...first...reevaluate your sales pitch and supported services. Now with that aside...things you might look at...

*Expand the DHCP pool of available addresses. I usually do from .100 up to .253....that's typically more than enough for the size of networks we manage (class C). And...I have my static devices down in the singles and teens and twenties...like servers in the teens, managed devices like switches in the single digits, printers in the twenties, etc. (although I typically manage many devices like switches and printers via DHCP reservations from a server..easier to manage/document). Or from the firewall we put in..since they're typically have a more robust DHCP service.

*Shorten the lease times. These days with mobile devices and such...and especially if you have guest networks...we find DHCP services run low on available IPs due to so much rotation of devices. Don't need a week long reservation. Scale it down to 1x day..(1440 minutes)..or even 8 hours (480 minutes).

We run guest wifi networks on a different VLAN, so...a different range of IP addresses ...thus a whole separate DHCP service. It's a good "best practice" anyways...on a business network..to keep guest wifi (byods) separate from the production network...less chance of unwanted malware hopping across.

 

[HCHTech]

Have your standard couple of routers that you sell/support..

You sir, should be teaching classes. That was as complete, well-though-out and practically-useful coverage of this topic as I have seen in quite a while.

 

[brandonkick]

Very good information!

Comcast did send a tech out this morning who did replace the gateway.

I widened the pool to .80 to .240 and adjusted the lease time down to 1 day.


I'd love to do a few things at this client... to be honest.. including complete rewiring of the building, one managed switch feeding all the drops, ubiquti wifi solution, UTM device.... the reality is however they won't spring for any of it. Business is crazy slow for them recently.... slowest by far it's been in the last 10 years and they are a real "but this has always worked fine this way" shop.

Next steps are to remove the linksys home grade access point, replace it with the unfi AP that is down on the lower floor.. and ensure DHCP is turned off on that (although I don't think that would cause a problem).

 

[YeOldeStonecat]

If they are "access points"..they are just bridges, thus there is no DHCP.
It's the "wireless routers" that you run into some end users putting into place..that can break the network....wireless routers are combo devices that include a gateway that can (typically) runs a DHCP service.

 

[brandonkick]

The linksys is just an access point, the other is a UnFi AP AC PRO unit.

 

[YeOldeStonecat]

So yeah they're both just APs...the Unifi APs are just..APs. Literally impossible for them to do DHCP.