Xfi Advances Security (comcast)

For whatever reason Comcast Xfinity is blocking my VPN URL. I’ve started the process to unblock, and I’m trying to get a hold of their security team to resolve this. I’ve been bounced around all morning.

Does anyone have a contact at Comcast that can whitelist a URL or get me to a team that can understand what is going on for the block to happen?

Why is Comcast blocking things? That seems like it’s out of scope for an ISP.


Not certain that this applies, but Concast Advanced Security (setup in
your Comcast gateway) only allows outbound VPN connections to UDP ports
500, 4500, and 62515 and TCP port 1723.

-Jim P.

By default, the cable modems from Comcast have Xfi Advanced security-enabled which is a layer 3 URL blocker.

We can access our URL via that IP fine, but the URL fails.

The fix we’re telling users is to 1st allow to unblock the URL in the APP, then disable the service. Which does fix the issue.

I’m trying to find out why Comcast why they did the block to start with and how to white list.

This is an SSL VPN that is being blocked. This is what failure looks like. Curl is the same.

Once we disable the Xfi Advanced Security everyone can connect.


Could it be related to the many FortiNet devices being exploited? About 45k credentials were dumped two days ago. Many are still working.

I know this is not a solution to your problem, but I have found myself more often running the public interface of openvpn systems on port 443. Any sufficiently advanced DPI setup will be able to tell that it’s not quite normal https traffic.

But 99% of the time it seems to serve the purpose of defeating heavily-restricted “free” wifi in airports, hotels, random guest/amenity wifi stuff, which obviously can’t block https/443 to the world these days.

First thing I do with any cable modem is convert it to bridge mode.

The fewer “smarts” in the cable modem doing odd things to my traffic, the better.


Ideally being your own customer owned cable modem that meets specs (Comcast does allow this in some regions) that will function as a layer 2 bridge.

Yes, I own my own modem even though comcast now charges me $5/month more than if I rented their equipment for this privilege.


https://spa.xfinity.com should have a form to request removal. Note they say resolution time can be up to three business days

For Internet access, sure. But ISPs also have value added protection services and this part of an optional content filtering service that is integrated into the leased Comcast gateways. Users can turn on things like parental controls, including time limit and time-of-day boundaries for certain devices (e.g. cut off kid's game console Internet access at midnight on school nights). See Using Xfinity xFi Advanced Security - Xfinity Support


As Alex said, you can submit a request to review a block at https://spa.xfinity.com. Note that this service relies substantially on 3rd party list sources – so if any IP/FQDN appears on other lists (e.g. webroot and similar) then it may be here as well. So you may want to take a look more broadly, especially if you rely on any virtual infrastructure.



Yes, but it’s tragically opt-out instead of opt-in as it should be. That means that anyone whose site happens to get miscategorized by them gets the added costs of dealing with the user complaints instead of Comcast having to bear the costs of their error.

It’s a classic example of the toxic polluter business model. Do something stupid while making sure that the costs of your errors fall on someone else.


Yes, but it’s tragically opt-out instead of opt-in as it should be.

It is not a default for an Internet access service. It comes bundled as one of several features in an optional add on service. See Get xFi - Personalize, Manage, and Protect Your Xfinity Internet for details. This is targeted at the average consumer, particularly those that may want parental controls, mesh WiFi, a voice port, and so on - so not really targeted at NANOG list subs like us. :wink: That said, I have an XB7 modem at home and really like it a lot - especially the new AQM feature that dramatically lowered working latency.

That means that anyone whose site happens to get miscategorized by them gets the added costs of dealing with the user complaints instead of Comcast having to bear the costs of their error.

As my other reply noted, this service uses a bunch of 3rd party services and it is those 3rd parties that maintain the lists (a la anti-spam and anti-phishing email list vendors). So if an IP/FQDN/URL happens to be on "our" list it is very likely getting filtered/blocked in a lot of network places because it is on a well-known independent list.

BUT, how do we know that was even the case here? Do we have a traceroute or a screen shot of an error or block message? We seem to have concluded it was blocked by a content filter but what technical evidence do we have (that can help troubleshoot)? I know you are not the OP (it is Chris) - but I'd love to know more technical detail and I am in communication off-list with the OP (along with my colleague Tony Tauber, who was the first to reach out to Chris 1:1).



I have a sidebar question here.

I came across the AQM paper you and others recently published. ( https://arxiv.org/pdf/2107.13968.pdf ) In that paper, the following is stated :

When a customer purchases their own cable modem, they are responsible for administering it, updating the software, configuring it, replacing it if it fails, and so on. These modems are generally referred to as Consumer Owned And Managed (COAM) devices.

An important distinction between leased and COAM modems is support for the operating firmware. For COAM devices, the modem’s operating firmware is provided by the modem’s manufacturer, who controls the feature set, bug fixes, and firmware release schedule (to the extent that there even are any post-sale software updates).

Does Comcast actually allow customers who own their own modems full management of the modem firmware? As far as I have been aware since my time at Adelphia 20-odd years ago, that has never been allowed by provider; all users of a given model had the same firmware enforced, customer owned or leased didn’t matter.

I can't speak for Comcast, but my local cable company indeed flashes COAM modem firmware to whatever their latest approved version is at least on installation and perhaps periodically thereafter. When I bought my modem and it was first put online its firmware was upgraded over-the-wire as one of the first steps of provisioning.

Even owned modems are TTBOMK very limited on what the customer can do with them. SNMP typically isn't available on the ethernet side for example. About all one can do is parse the HTML on (in most cases) to get an idea of signal quality, etc. If the modem has built-in wi-fi you can expect the cable company to enable it for their roaming customers to piggyback on your RF, resulting in interference even if you turn off your own wi-fi in the modem.

Leasing a modem from the cable company seems to universally be a terrible deal for the customer. DOCSIS 3.1 modems go for about $100 new retail in quantities of one. I'm sure they're much less when a cable company buys them by the tens of thousands in bulk packaging. At $10 to $16 per month it makes zero sense for anyone to rent one. Of course the phone companies did the same thing for decades with extension phones.