USA Comcast xFi Advanced blocking warning

So today was meant to be a great day for me.
My home is serviced by Comcast’s Xfinity service. To increase my bandwidth and get unlimited data I had them come out today to give me their unlimited 1Gb down / 40Mb up service.

This service requires the use of their xFi Advanced router (if you don’t provide your own, but also seems required if you want unlimited based on fine print).

The tech came this morning, replaced the wire and the modem, tested speeds, did basic setup and left. While he was working I got the alert that my node was down as expected but I was busy with other things when he left and didn’t think to check that my node came back up before he was gone.

When I checked the node, I found that the Last Contact in the dashboard was very erratic. It would climb to a couple mins then go to zero, repeat. Didn’t show offline but not talking correctly.
I use DDNS and that was all correct and updated with the change. Google had the right IP.
I check the port forwarding settings in the new modem and they were correct.
I checked the modem’s standard internal firewall settings and they were not set to block any thing.
I checked that the port was open and found it reported as closed.

I spent an hour troubleshooting and found that if I rebooted the modem or delete/add the port forward the port would stay open for about 10-30 seconds then close. I couldn’t figure out how to keep it open in the new modem settings.
I then spent 2 hours 1 min and 39 seconds on the phone with Comcast support. As expected, it was a total joke and 2 people not knowing what port forwarding is didn’t help. I finally got someone who understood that I did more troubleshooting then they understand and got approved to replace the modem at the local Xfinity store. Drove to the store, in and out with a different modem.
Got that setup and got the same results. I spent several more hours trying to troubleshoot, factory default, modem logs, online settings, etc and could not get the port to stay open. Even tried switching docker to a different port, nothing worked. The store closed by the time I gave up so I decided I would go to the store tomorrow and at least get the old style modem back until after the USA holiday and a tech could come out later in the week.

I was just about ready for bed and got an alert never seen before on my phone from Xfinity. It was a daily summary report of Advanced Security blocks for the day. I think the point of the alert was to notify the average home user that Xfinity has their back and are providing great security services. I looked at the report and it was filled page after page with blocked activity on port 28967.

I went back to the modem’s internal firewall and verified nothing was activated for block (I have a different firewall on the inside). Checked the logs and nothing. I then clicked around on the Xfinity site and found that this upgrade also included with the deal something Xfinity xFi Advanced Security features (free of course).
This Advanced Security isn’t controlled at the modem admin gui, it must be controlled via the cloud. I got into the Xfinity account page and found where I could disable it.

The second I clicked save - the node dropped from 8 mins Last Contact to 0 secs and stayed.
I am still livid about this. I even asked the third Comcast support person about security settings.

So I hope that if anyone else who gets the xFi Advanced system with their gig service can benefit from my 16 hours of down time for a 30 min modem replacement job.

9 Likes

Yea.

ISPs goes out of their way to stay relevant and competitive. And if possible - charge extra buck.
And often, it gets sneaky.

Recently, I had Telus salesman knocking to my door.
I have Surf with 150down / 15up for $40 / month; unlimited traffic.
He offered 150/150 for $35. And first two months free.

ok, sign me up! so, he did.

I got order confirmation email. It says 150 / 15. What?
I called them. Yea, they don’t have 150/150 at all. Also, while talking to them I found, that there is 1TB limit on traffic…
But, rep said: Telus is the best. have all kinds of freebees - emails, antivirus, some kind cloud (??)…

I said: Forget it…

I can recommend for everyone alway use only your own router that you personally select ant buy. Unfortunately I know many examples when ISP provide cheap router than never working fine especially on heavy load and many concurrent connections.

2 Likes

I have xFi advantage and I disabled that built in firewall or else it would block connections to the out side and incoming also the port forwarding has to be done thru some app, I also have discovered that when making changes to the gateway they don’t always occur in real time because it cloud managed junk as I have expressed that to Comcast, I have eliminated all xFi advantage junk by bridging the gateway and using my router with built in wireless and allows my router to authenticate on the wan network thru my router and still to use the unlimited data that xFi advantage comes with, also ddns providers go down either the free or paid versions and they don’t give the user of their product advanced warning the reason I have mention this is because the wan ip of Xfinity is dynamic but it will remain the same provided that modem gateway doesn’t fail and has to be replaced and you can check this out periodically to verify it yourself, hope this will help in future decisions.

you are not alone with spent time with xfinity tech support I turn the security feature off in the gateway period have not used it for the five months I had it.

(if you don’t provide your own, but also seems required if you want unlimited based on fine print)

ISP: You get unlimited, but only if we can spy on you with our router :rofl:

I’ve seen centurylink lock their Arris Modem firmware down so good, you can’t change DNS and many other security items.

no I have xFi and the gateway is in bridge mode using Linksys ea6900 and I had two month of 3700GB of data so they don’t care spying is always enabled, isps have the ability to log in to their gateway admin tool even if you set a different password

Unless you replace all their gateway hardware :smiling_imp:

Problem is when you want to replace all their hardware but you still need their router because it’s the only reasonable interface to their communication line, like xDSL or TV cable. There are xDSL add-in cards but they’re very expensive and you still need the rest of the system. And in case the interface changes, money’s down the drain… Optic fiber is the best choice for those that have access to it, I’m assuming it’s configurable with a simple network card, no idea or experience with it though.

Same situation with Eartlink. They said 45up and 45 down. Got it. It’s only 6 up… called and they said they don’t offer anything higher then 6 up. Glad I didn’t cancel ATT yet, at least with them I get 15up. I can’t find any ISPs in my area with anything higher then 15-20 upload.

So my saga continues my friends…

After disabling Xfinity xFi Advanced Security I was up and running. No issues with node or connections.
Yesterday, I got home from work and decided to check on the SN and forum to see how Storj life was going. Didn’t see anything critical in latest forum posts so I went to the SN Dashboard - Last Contact looked normal.

I then went to check on the network usage via server monitoring I use to see if traffic has picked up any and I found this:

It totally caught me off guard. Nothing in the forum where people would usually be panic’d and complaining about a satellite being down or lower traffic, my last contact was normal, and my uptime robot said online. :thinking:
Nothing says I have a problem, no uptimerobot alerts, nothing…

I then noticed it stopped traffic at exactly 6am. Instantly checked to see if the port was open.
Of course I found the port closed. I logged into the Xfinity site and verified that Advanced Security was off - confirmed. Checked port forwarding settings - confirmed.

Just like last time, if I made a change to the modem or port forward it worked for 10 seconds then closed the port. I spend an hour troubleshooting again and called Comcast Xfinity support knowing what I would get.
Finally got transferred to advanced support, got someone who understood port forwarding basics. But as expected, got no where with them. It was 11pm at the time so no one of skill or knowledge working and no security department to be transferred to.

I fully explained the problem, solution found two weeks ago, working fine until 6am sharp.
They did tests and "nothing wrong with modem or our service, use a different port or different modem (but pay more to keep unlimited data when not using xFi modem - no thanks).
She did mention that Comcast does have a blacklist of ports they do block regardless but said 28967 was not on that list (TOTALLY FAILED to ask when that list was last updated :hot_face:)

Spent over an hour trying different things and bailed on support. While talking I did think of one potential solution Spoiler: It worked keep reading

Turn the xFi modem to bridge mode. This will disable all modem and cloud based security features.
Now for some reason, the last Xfinity modem for the 60Mbps plan didn’t need this, but all the advanced features of xFi cause problems.

Now of course I had to completely redo my network to get this to work. Here is the summary version that took me 6 hours to troubleshoot and get working.
Toggle on Bridge Mode and power off modem (has to be rebooted, toggle only doesn’t enable)
Change vSwitch to not allow OS to use the port for management AKA passthrough
Reboot server to remove port
Change WAN port on VM firewall to DHCP and power down
Turn on modem and let fully load
Turn on server
Turn on VM firewall - Got public address :+1:
This change caused me to lose access to GUI for firewall - no clue why - spent hours trying to regain access with Google and forums/reddit. NOPE - factory default firewall settings and start from scratch.
Configure ports, NAT (new now in bridge mode), FW rules, etc.
Everything looks ready and gave it the ol’ docker restart storgenode
BAM - 0 seconds, port open and staying open, SN logs working with downloads, uptimerobot sends me the UP email, back in business.

41 hours downtime this time between my job, family, 4 hours of sleep, and Comcast Support call. 6am - 11pm next day. Still don’t have everything working like wireless and firewall rules are critical needs configured only at this point but my SN is online - priorities!

I wanted gig speeds and unlimited data, Xfinity says use our modem or pay $50 per month extra for unlimited with your own modem… Bridge Mode it is then.
Still don’t know why 6am it just stopped. Worked for 2 weeks and close (months on old plan). No issues in past 2 hours for SN. Let’s hope this doesn’t become a trilogy

3 Likes