how securely separated is the "xfinitywifi" from the private WiFi/LAN on the Cisco DPC3939B

Hey train_wreck,

If I could find access to the DPC3939B (DPC) motherboard schematics, firmware code, etc.,  I would be able to answer your question with more technical credibility. However, I do know about it's wireless security configuration parameters that may provide some useful imformation to your questions.

You can control who can literally access your DPC wireless 2.4 & 5.0 facilities by using the internal channel and/or MAC Address filtering capabilities. This is more of a intra-trust network security, if you will, but certainly can control who you allow to access any DPC WIFI  capability.

It is my understanding that the DPC DHCP Server MUST be enabled for your private or public WIFI to be operational. This suggests that there would be some DHCP subnet user commonality. However, it is my understanding that static IP network addressing is on its own subnet and the DHCP subnet should never be able to cross paths without some VERY sophisticated internal inter-networking configuration. If you have your staticIP and DHCP both configured and enabled, the standard port-forwarding, triggering, etc. could be used to enable internally configured device application ports to be opened for remote access, as you know.

Hope this somewhat helps you out.    

yes thanks, i went ahead and upgraded to the DPC. For all intents and purposes, the hotspot seems completely isolated; though you were correct about needing DHCP enabled, clients on the hotspot network are designated local addresses within 192.168.0.0/24, and emerge on the internet via a 50.x.x.x public address that geo-locates to around Massachusettes. I can find no point at which the gateway, private LAN, or static subnet is revealed to hotspot clients.

Thanks for the info again.