U

Saturday, November 9th, 2024 2:45 AM

Unable to connect to web server inside my network with port forwarding from an outside network.

Date: 11/08/2024

I'm trying to setup port forwarding to an Apache webserver on port 80. I'm unsure if the port forwarding from the internet is being blocked by the ISP (Xfinity). Has anyone been able to get port forwarding to work on Xfinity recently (in 2024)? 

Diagram:

Computer on Internet --> Xfinity --> Cable modem (Arris SurfBoard Model: S33) --> Router MT6000/Flint2 (Firmware v4.6.8)--> Computer on my network hosting an Apache webserver on port 80.

Settings:


Xfinity settings:
Unknown - There currently does not seem to be a way to setup port forwarding if you do not have one Xfinity's cable modems/routers (Gateways). This should be done in one's router. To avoid problems in the Xfinity app the two-step verification has been disabled. Xfinity tech support has been unhelpful thus far. 

Xfinity port forward directions:

https://www.xfinity.com/support/articles/port-forwarding-xfinity-wireless-gateway 

  1. xFi Users (xFi Gateway) Using Xfinity app <-- suggested to click WiFi in app and go to "Advanced Settings". The only options are Troubleshoot and WiFi Hotspots if you are not using their equipment.

  2. Non-xFi Xfinity Gateway User (Xfinity Gateway): <-- suggest to use Admin Tool if you have an Xfinity Gateway. The URL http://10.0.0.1/ times out if you do not. To find your gateway IP in Windows go to the CMD prompt and type ipconfig /all and find your Default Gateway IP and enter that into your browser instead.  

Note: According to Xifinity documents port 80 is not a blocked port:

https://www.xfinity.com/support/articles/list-of-blocked-ports

Note: Using the Xfinity app it seems you can no longer access port forwarding using the Assistant. This was done in the past by clicking on Account/Xfinity Assistant/ Xfi / Network / Open advanced settings / Port forwarding / This now displays the error message "Sorry, we're having some trouble gathering the list of your port forwards. If the problem persists, check back later." 

Arris SurfBoard Model: S33 (Cable Modem) Settings:
There are no port forwarding settings since this is strictly a cable modem. Straight cable Modems are simply "pass through devices". You do not need to place it into "bridge mode" like you would if it were an Xfinity Gateway (combo modem/router).

MT6000/Flint2 Settings:

To setup port forwarding with this router. The port forwarding setting are found in two places. The 2nd location allows the ports to be publicly reached. 

1st Found under: Network/Port Forwarding 

https://docs.gl-inet.com/router/en/4/interface_guide/port_forwarding/?_gl=1*k7j81z*_gcl_au*NzYwMTAwMTk4LjE3MzEwMTMyNzg.*_ga*ODY0ODg1Njc5LjE3MzA5Mzc1NDA.*_ga_34T6Q5NL0V*MTczMTExNjYwOS4xNi4xLjE3MzExMTc1MDUuMC4wLjA.

2nd Found under: System/Security/Open Port on Router

https://docs.gl-inet.com/router/en/4/interface_guide/security/

Testing:

Windows Defender is turned off for testing. 

Xifinity ISP in my area doesn't look like it is using CGNAT (Carrier Grade NAT). Link on how to check on Windows 10/11:

https://winbuzzer.com/2020/05/29/windows-10-how-to-tell-if-your-isp-uses-carrier-grade-nat-cg-nat-xcxwbt/

Internet search for "What is my IP address" allows me to find what my public IP address is. This is the address you type in to access your router from outside your home network. 

When connected to my home network (LAN) I can enter either the public IP address or the direct IP address of my webserver and the Apache webserver page is shown. 

When attempting to access my home network via the public IP address from an outside computer a time out message in the web browser is received. If I changed the port number to something other than 80 under the MT6000/Flint2 router's Port Forwarding settings, I am able to access the Admin login page for the router. However, no port forwarding occurs. 

Used CanYouSeeMe

Open Port Check Tool -- Verify Port Forwarding on Your Router

A free open port check tool used to detect open ports on your connection. Test if port forwarding is correctly setup or if your port is being blocked by your firewall or ISP.

Received:
Error: I could not see your service on 73.192.XXX.XX on port (80)
Reason: Connection timed out

6 Messages

14 days ago

This is interesting even though Xifinity/Comcast docs claim that port 80 is not being blocked...

I just asked the question to the Xfinity Assistant and got a message back stating that port 80 IS being blocked "... to protect users from potential security and privacy vulnerabilities."!

(edited)

Gold Problem Solver

 • 

26K Messages

13 days ago

... I just asked the question to the Xfinity Assistant and got a message back stating that port 80 IS being blocked ...

The Assistant tells me, in response to "Is port 80 blocked?":

Port 80 is not mentioned in the provided information about blocked internet ports by Xfinity. The list of blocked ports includes Port 0, 25, 67, 135-139, 161, 445, 520, 547, 1080, and 1900, but Port 80 is not listed as being blocked. Therefore, based on the information available, it can be inferred that Port 80 is not blocked by Xfinity.

Please be aware that there are 2 kinds of responses in this Forum: Replies and Comments. When you Comment on a post by scrolling down to "Comment on this post here...", I am notified of your response. But if you select Reply, I am NOT notified and may not be aware of your response.

6 Messages

Hi Bruce:

Great we have two different answers from the Xfinity Assistant. Testing is proving port 80 is blocked so far. 

Official Employee

 • 

1K Messages

13 days ago

@user_46bvj0 Good evening! Thank you for your detailed post. It's always super helpful. Regarding Port 80, I can only find documentation stating that it is not one of our blocked ports. The Xfinity Assistant saying it is a blocked port is interesting. I will be taking that back to figure out why we have two different answers out there. 

I would definitely reach out to your router manufacturer about getting port forwarding to work. We don't have any articles on how to do that on third party routers because we that is outside our realm. That is up to the manufacturers to implement and you to configure. We can only help you set it up with Xfinity Gateways. Let me know if you have any other questions.

6 Messages

Hi XfinityTony:

I’ve been in touch with the router manufacturer they said port forwarding is setup correctly. I actually do not need to use 2nd port forwarding options found under their security area. That area is only used for Remote Access Control.

Port forwarding works correctly within the LAN. However it seems that all attempts to access the network from outside (WAN) are blocked.

Running a netmap scan from outside the network shows a 514/tcp filter shell message. This looks to be a network input port often used for remote shell without encryption.

No ports are open from outside the network.

When I tried changing the default port 80 to another number. I did also enter in the socket address:

public-ip:8080

The router manufacturer believes that Xfinity might be using CG-NAT/CGNAT/Carrier Grade NAT addresses, which would block port forwarding. 

From the testing I’ve done this doesn’t appear to be true. But I can’t explain why all outside connections are being blocked.

Official Employee

 • 

1K Messages

@user_46bvj0 Xfinity does not use Carrier-Grade NAT. I have helped several customers set up port forwarding. Port forwarding errors are often due to security settings. Being that you have 3rd-party equipment, I cannot help you navigate those settings. I am leaving this thread open in hopes that one of the community members can help you. Official Employees can't advise on third-party equipment outside of really basic information and guidance.

(edited)

I am an Official Xfinity Employee.
Official Employees are from multiple teams within Xfinity: CARE, Product, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Please, mark a reply as the Accepted Answer.tick

6 Messages

Hi XfinityTony:

Thank you for the information "Xfinity does not use Carrier-Grade NAT". That is one thing I can cross off the list.

Do we know if port 80 is being blocked by Xfinity since we have heard different things from AI?

Is there anything that Xfinity has to do on their end to enable port forwarding?... Not sure what that might be (static IP maybe)?

I tried to setup port forwarding on an old Linksys WRT54GL router with the same results. No connection from outside computer on WAN. Something is blocking the port forward connection just not sure what that is or could be! 

Official Employee

 • 

1.7K Messages

@user_46bvj0

Thank you for following up. I see you have a couple of questions, so I'll cover each below.

Q: Do we know if port 80 is being blocked by Xfinity since we have heard different things from AI?

The common port numbers like Port 80 for (web servers) and Port 443 for Secure Socket Layer traffic wouldn't be blocked from what I know. You can find a list of the blocked ports here https://www.xfinity.com/support/articles/list-of-blocked-ports for further confirmation. 

Q: Is there anything that Xfinity has to do on their end to enable port forwarding?... Not sure what that might be (static IP maybe)?

 

With third-party equipment, we would be limited with what we can enable on the device. The port forwarding on the Xfinity Gateway is also managed by the end user. Additionally, we do not provide a static IP for residential customers, but we do offer them in blocks of 1, 3, and 13 at an additional cost to Comcast Business customers. If this is something you think you could benefit form, you could explore the great options they have available. 




I am an Official Xfinity Employee.
Official Employees are from multiple teams within Xfinity: CARE, Product, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Please, mark a reply as the Accepted Answer.tick

Gold Problem Solver

 • 

26K Messages

12 days ago

@XfinityTony wrote: "... Xfinity does not use Carrier-Grade NAT ..."

That's incorrect. In fact, Comcast/Xfinity DOES use CG NAT. See, for example,

https://forums.xfinity.com/conversations/your-home-network/packet-loss-on-xfinity-network-in-atlanta/65395fe377679f48f5bbfc95?commentId=6539c353e05b5f65da045833&replyId=653a6680e05b5f65da047739.

The first Comcast/Xfinity hop in the trace in that thread is in the CG NAT range. A more readable version of the trace image is at:

https://prod-care-community-cdn.sprinklr.com/community/cd58a8fd-ee2e-46c9-8c79-e9309441066e/dns.google_10252023_03-5f8b28ce-b3de-446b-8b80-8f19a9dc6a23-2086096517.png.

Also see

https://en.wikipedia.org/wiki/Carrier-grade_NAT.

Please be aware that there are 2 kinds of responses in this Forum: Replies and Comments. When you Comment on a post by scrolling down to "Comment on this post here...", I am notified of your response. But if you select Reply, I am NOT notified and may not be aware of your response.

6 Messages

Hi @BruceW:

Thank you for the message. You keep getting the exact opposite replies to my questions lol. ​ I'm in Jacksonville, FL. Where area are you located? Is it possible that in different areas Xfinity/Comcast have different systems in place? 

I've done a few of the the CGNAT/CG-Nat tests that I've posted above and they have all come back as no CGNAT in my area. However I still can't explain the no connection from outside computers (WAN). My working theory is a double NAT issue (Xfinity has a router somewhere upstream where port forwarding to my public IP is being blocked)? 

Here are the CGNAT tests I've run. Do any of these come back as positive on your system?

1. In my router I see my public IP address 73.192.XXX.XXX. It is not within the 100.64.0.0/10 IP range.

2. Windows Check:

Admin CMD

tracert public-IP               = 1 hop means you have a public IP, 2 hops mean you are in CG-NAT

https://itigic.com/know-if-my-internet-connection-uses-cg-nat-or-public-ip/

(edited)

forum icon

New to the Community?

Start Here