Comcast Bussiness Class and GRE Tunnels

Hello, I'm hoping that someone here might have run into a similar issue and might be able to offer me some pointers.

I have a customer that I am providing redundant paths to, one link over a microwave connection, and a backup link over a Comcast Business Class Connection. Everything on the Microwave link is working fine. On the Comcast Connection, I have a Static IP from Comcast, and I want to setup a vendor specific GRE tunnel (Mikrotik EoIP) from my NOC to the Comcast Static IP Address. It looks like the SPI Firewall inside the SMC Gateway required by comcast is blocking the GRE packets, I'm basing this on the fact that when I power cycle the modem, I get 1 ICMP Packet through the GRE Tunnel while the modem is booting up, then it stops again. I have gotten to Tier2 support who swears that all Firewalls on the SMC Gateway are disabled.

As a workaround, I was able to establish a PPTP tunnel to my NOC, however it seems like the tunnel will only run for a few hours, then becomes slow to the point of being unusable. In my mind this would be no different than setting up a permanent VPN back to a corporate office, which I would think happens all the time, so I'm not sure why I'm running into issues with it.

Anyone with Insights or comments would be appreciated.

Nate Burke

I have GRE tunnels and l2tp tunnels over those comcast boxes. l2tp is less
hassle because it handles NAT, but you can do GRE instead -- just make sure
you assign yourself a public static IP.

First, go into the gateway and make sure all firewalls are disabled (it has
a web GUI).

Second, if it's the comcast SMC 4 port "gateway" thing I think it is, the
device is somewhat retarded. You plug into the switch and pull DHCP, and
you get a natted address and it routes.

You can plug into the same switch and set a static IP on your device
(internet public IP), and it will work without NAT, assuming your account
has a static IP.

Set said static IP on your microtik box and it should pass end-to-end
without drops.

Was working on the same reply as Paul. You assign your static to your
Mircotik box and check the box in the WebGUI (default is
to "Disable Firewall for True Static IP Subnet Only" on the firewall tab.


Thanks for all the replies, I have all the firewalls disabled on the SMC Modem, with my Static IP set on the Mikrotik. The PPTP Tunnel came up and ran just fine when I configured it, it was working great when I left the office last night, but this morning It was running very slow. I just setup an IPIP tunnel, and did my EOIP tunnel over that, and it came right up, we'll see if it's still working in a few hours.


I had to make the LAN end of the tunnel the "DMZ host" (under Firewall settings on my SMC).

    --Steve Bellovin,

Good luck. My experience with GRE over comcast business was a *nightmare*.
The web interface seems like it has a random roll to corrupt the firewall
config when doing any GRE config, and you must get level 2 support to fix it
each time using a l2 only CLI.


I needed fast reliable internet access at home, so, I have Comcast Business
Class for fast and Raw Bandwidth DSL for reliable. I have my own ARIN
direct assignments for my internal networks and I have routers in a couple
of colo's where I get my true upstream connectivity.

I run a Juniper router here at home and in one of the colo's. In the other
colo, I use the datacenter's router to terminate the tunnels. I use GRE
tunnels to both cool's across both Comcast and Raw Bandwidth and run
BGP to my house (small router) feeding default to the house and getting
the local prefixes (,, 2620:0:930::/48)
advertised upstream to the colo routers.

The colo routers are full-feed BGP speakers.

My Comcast gateway is running in straight L2 bridge mode, so, there is
no issue there. When Comcast changes my IP address, things get very
slow until I can reconfigure the tunnel end-points. Raw Bandwidth provides
me with a static address.

I'm not doing any NAT and the GRE tunnels carry all of my actual traffic.
The Comcast and Raw Bandwidth internet feeds are used only to provide
L2 transport for the GRE tunnels.

This allows me to do convenient cost-effective multihoming without NAT
at home using commodity internet access.


The best thing to do is supply your own GRE router and have the Comcast
gateway operate as a dumb simple ethernet bridge.


I also have pretty much the exact same setup and it works very well for me

Also make sure that Smart Packet Detection is turned off... (that
affects most services and slows things down at best. It is a checkbox
right under the above one.

-- Pete

Hello, I'm hoping that someone here might have run into a similar
issue and might be able to offer me some pointers.


Anyone with Insights or comments would be appreciated.

Mikrotik EOIP are not following standards, it is just their own hack, so it is very possible that some SPI in Comcast breaking it.
Additionally some Mikrotik versions doesn't work properly with their own EOIP even, plus it has fragmentation issues. Fragmentation issues usually appears on large transfers, such as "stalling" sessions.
I wrote my own implementation of Mikrotik EOIP for Linux, so i know what i am talking about, also in same code i wrote alternative tunnel, that has much less overhead than EOIP (compression + packets aggregation), but sure you need linux both side.

I can recommend you to try to use openvpn, if you are "Mikrotik only". At least it doesn't have fragmentation issues, as IPIP/GRE/PPTP has, and also it will run smoothly over NAT/SPI. Cons, that it is a bit more laggy, because it runs over TCP.

Au contraire, OpenVPN only runs over TCP if you explicitly tell it to;
default configuration, and widespread practice, is to run it over UDP.

- Matt

On Linux, yes, it is by default configuration is UDP, but in current case , on Mikrotik, it is working _only_ in TCP mode, and has few more limitations.

WT*F*? I've never understood the appeal of Microtik, and now I understand
it even less.

- Matt

Well, it is luring people because it has easy GUI and it is cheap. Even noob can setup VPN in few clicks.
At same time they hidden bugs, that can cause packetloss, sessions stalling, improper UDP NAT handling, lack of proper interoperability.
Maybe discussed issue lays not in comcast, but in some Mikrotik bug.

WT*F*? I've never understood the appeal of Microtik, and now I understand
it even less.

The software is... quirky, at times, but some of their hardware, especially
on the very low-end, is hard to beat.

For instance, they make a SOHO router with five Gigabit Ethernet ports for
$70, which has point-and-click access to MPLS, DHCP (server and client), a
few different flavors of VPN including IPSec, and a bunch of other stuff. It
even supports BGP, though you're not going to do very much with that
system's 32MB RAM.

If you really wanted, you could buy the hardware then re-flash it with
something else; the CPU on this particular system is a MIPS 24K, and there's
probably other embedded Linux/*BSD distributions that would work well

David Smith

We're evaluating a good spread of Mikrotik products as well, both for wireless AP's and general routers.

Almost worked out all the features(some features have names that conflict with other vendors, or operate unlike you expect them to), but for the price, even of their higher end ones (RB1100, online for $399) it has 13 Ge ports, and appears to be able to route traffic at faster speeds than I can get a competitor (cisco/juniper) box for. We used the built-in speed test (iperf) and got 970mbit (and about 70% cpu usage) between 2 RB1100's (connected by a single routed gigabit connection) and about 1.4gbit to a local address on the box, which isn't probably a fair throughput test, but is a good test of where the cpu maxes out, since there doesn't appear to be any asic level forwarding unless you are switching layer 2 traffic.

For the price, I'm impressed, also the operating temperature range being so wide lets us put them in places we couldn't (supportably) put a cisco or juniper low-end (or high end) box, since we have some remotes where we need to go down to -10C or so.

Walter Keen
Network Engineer
Rainier Connect

(P) 360-832-4024
(C) 253-302-0194

I guess vendors are just not interested.

D-Link DIR-600, here in Lebanon $30. Zyxel Keenetic also similar price. Only one problem, Mikrotik are 32Mbyte flash, and those are 8Mbyte.
My friend developing firmware for this platform (RT3050/3052, Wive-RTNL project) and can put almost any software there, it is opensource project.
As benefit this Ralink platform has hardware wirespeed(100Mbit) NAT offload on RT3052, and guy able to make it work even on 3050 (even officially it is not supported there). Technically it is possible to run gigabit there even, but current vendors do not produce such products.
I think on cheap platforms, they have wirespeed gigabit only on switching functions, but rest will suck. Their top products can do more, but they are still cannot beat PC with Linux. RB1100, $400 for 150 Kpps with NAT and 300 Kpps without, it is not that good.

The only major and important difference in "schematics" with routers that can be reflashed is flash size and sometimes RAM. 64Mbit SPI flash 2.12$, and Mikrotik uses this days 512Mbit NAND, $7.01 . ALso they have nice circuits for variable power, with DC-DC converter, but nothing unusual or innovative, like Cisco or others has. Before they had some funny circuit with Xilinx FPGA to run NOR flash over SPI.
Note: DD-WRT on RT305x suck. Their wireless support are incomplete, and no NAT offload.


I think on cheap platforms, they have wirespeed gigabit only on switching functions, but rest will suck. Their top products can do more, but they are still cannot beat PC with Linux. RB1100, $400 for 150 Kpps with NAT and 300 Kpps without, it is not that good.

atheros ar7161 system on a chip can run as fast as 800mhz has dual gig-e macs and supports 32bit 66mhz pci operation and when coupled with a companion ethernet switch it can result in a fairly hefty little router platform.

an example of one would be

routerboard 433AH
or ubiquiti router-station pro.

BOM and flexibility is going to ultimately determine cost but these are substatially more powerful than a lot of smaller embedded platforms we've be using including geode/elan based pc devices.