Comcast Cable Modems Are Flaky In General, Cannot do Port Forwarding or Port Mapping
Maybe this will help someone out there who needs to do what I do. At least to avoid the expectation of having port forwarding work properly.eave the only solution to be using another router/firewall with NAT as the DMZ machine.
Comcast business internet is a premium service, with 24-hour call support (of varying quality) and 1-2 day on-site response. Overall, it has performed well for me for 10 years or so, but with the advent of COVID-10, service quality has gone to crap with an overloaded “node” serving my neighborhood. Once overloaded (2 PM to 11 PM is pretty bad), the router just drops packets like crazy and all sorts of things slow down or just won’t work. It’s a nightmare scenario with no good alternatives in my area.
Making matters worse, I run a mail server and a git server in my local LAN, behind the Comcast cable modem. All I need the modem to do is to forward incoming requests to my servers
The aging Comcast/Netgear modem I am using has done this job well for years now, but when the node gets overloaded, the router degrades my entire LAN (even just internal stuff), via rampant packet loss. Why WAN problems should degrade the LAN also, dunno—maybe the modem has its CPU pegged-out.
Port forwarding is a well-established and very simple technology that forwards incoming packets from outside the firewall to servers inside the firewall, based on the port number. Properly done, incoming packet on port X can be sent to internal server on port Y. Brain-dead implementations such as on newer Comcast cable modems can only send X to X but better ones like Netgear can send X to Y which is far superior for security purposes eg not having to run on a privileged port on the server. For examples:
<WAN IP>:<WAN port> to <LAN IP>:<AN port>
100.100.100.100:22 to 10.0.0.5:22
100.100.100.100:22222 to 10.0.0.5:22
100.100.100.100:3333 to 10.0.0.5:4444
100.100.100.100:587 to 10.0.0.6:587
What port forwarding looks like on the discontinued Comcast/Netgear cable modem:
ALL the newer “better” Comcast modems fail at port forwarding — both configuration and operationally
I submitted a technical support request at Comcast. No response so far. Most likely, if Comcast ever responds the response will be a patently false claim that port forwarding is a customer IT issue. But my issue is not how to configure, it’s that configuration doesn’t work due to bugs in the modems.
Comcast has discontinued the Netgear cable modem, and is actively replacing it at customer sites (according to a Comcast technician). Customers are supposed to use the newer “better” Technicolor cable modems.
Thing is, neither the mid-level or the gigabit models Comcast Technicolor cable modems can do port forwarding at all, making it impossible to run servers.
The approved Comcast Technicolor cable modems have (on paper) the port forwarding feature, but it doesn’t work, either for configuring it, or operationally.
I'm flummoxed—the only cable modem that works at all is the discontinued 5-year-old NetGear one. I cannot use non-Comcast modems, because servers require a static IP. And a static IP requires only a Comcast supplied cable modem.
I have tried and retried Comcast modems for over 3 years now. All fail to work properly for port forwarding, usually starting with outright failures for the most basic configuration. All have the same configuration bugs—yesterday I saw the same bugs I saw 3 years ago, and 2 years ago, and a year ago.
Hours wasted, no luck
The Comcast technician spent two hours at my place yesterday. All of what follows was witnessed firsthand by him.
We tried two of the mid-range Technicolor cable modems (for up to 300 Mbps). The first one was grotesquely flaky. We watched it take 10 minutes to boot (several times), 20-second delays for admin interface, and it would start dropping all packets regularly (LAN and WAN). Port forwarding functions were unusable, with even the simplest attempt to configure it failing—never got past configuration. A second sample of the same modem seemed better, but it could not be configured either.
Then we moved on to the high-end gigabit model. This one was twice as fast to boot up (still very slow at 4-5 minutes), but its admin interface was instantaneous. We were able to configure port forwarding. Not only that, but it actually functioned properly—hooray! I was satisfied after testing my servers, and the technician left.
Then just 45 minutes later, the modem crapped out, and port forwarding ceased functioning. Rebooting it did nothing useful. Attempts to configure it again were met with the same error messages as in the mid-grade Technicolor modems. It never worked for port forwarding again.
This port forwarding issue is NOT an "internal network issue". It is BROKEN MODEM FIRMARE. This point matters, because any attempt to raise it results in Comcast say that it is “an internal network issue, contact your IT department”. This is total bullshit; it is broken modem firmware.
I then spent 90 minutes in generic Comcast Support Hell, transferred multiple times and cut-off once after 25 minutes (start over!) and finally had to walk a trainee technician through the correct gateway and netmask settings. OMFG.
What port mapping should look like
A good modem should allow mapping the incoming port to an outgoing port. The aging Comcast/Netgear modem does that, as shown (eg port 22222 maps to port 22 in this example).
The brain-dead Comcast/Technicolor modems can only send port X to port X—pure forwarding with no port mapping (X to Y). This is both a security problem (privileged ports) and a server configuration headache (no means to use the different incoming ports to the same ports on multiple internal servers). For example, the ability to ssh to two different internal servers:
100.100.100.100:2001 to 10.0.0.5:22 # cannot be done on Comcast Technicolor modems
100.100.100.100:2002 to 10.0.0.6:22 # cannot be done on Comcast Technicolor modems
Once and only once by pure luck, we were able to configured the Comcast/Technicolor gigabit model for port forwarding (no such luck with two of the 300 megabit models). It worked correctly at first, then crapped out 45 minutes later and never worked again even after rebooting it. All subsequent attempts to edit or add configuration were met with errors like the examples that follow.
The Comcast Technicolor modems (either) are so broken that it is usually not even possible to configure port forwarding. Most of the time it just posts an error:
If you do get lucky enough to have configuration 'take' (this happened once and only once on the Comcast Technicolor gigabit modem), editing an entry will invariably fail.
Thanks to reader Jack B for some ideas, but they don’t apply to my situation (Comcast Business Class modems cannot use Bridge Mode). Namely, he is able to configure his Comcast modem into Bridge Mode, thus passing all traffic thru to his own Netgear router, which can do the NAT/DHCP/Port Forwarding. That is equivalent tow hat I might be able to do using the DMZ feature on the Comcast modem I have available to me.
Here is a good summary of securing networks with firewalls/NAT.
In my situation, Port Forwarding is non-functional on all the Comcast-supplied routers, as discussed above. And to run servers, a static IP is necessary and that means only Comcast-supplied mode/router can be used. Furthermore, Bridge Mode for the Comcast router/modem is not an option.
With Port Forwarding non-functional and Bridge Mode not an option, as far as I can tell my only option is to make use of a DMZ router/firewall, essentially having the Comcast modem/router forward all traffic to that DMZ IP address, a Netgear router/firewall, which itself will do the Port Forwarding to machines on the local LAN, and with both NAT and DHCP for everything on the local LAN*.
* I’m not going to worry about putting the servers on yet another subnet behind yet another firewall, because I have other locked-down security measures in place and have seen no security breaches in 15 years (ever).