Skip to content
J

New Contributor

 • 

2 Messages

Sun, Aug 8, 2021 10:32 PM

IPv6 Firewall on CGA4131COM Seems To Do Nothing!

I just discovered that the IPv6 firewall on my CGA4131COM seems to allow traffic regardless of the settings.

Set to the default of:

  •  

    LAN-to-WAN: Allow all.

    WAN-to-LAN: Block all unrelated traffic and enable IDS.

My internal FTP server is exposed to the Internet, even without any additional rules allowing FTP traffic. I worked around this by adjusting the Windows firewall rules.

My web server continues to be exposed to the Internet even if I switch the firewall setting to Custom and select "Block HTTP".

I was clued into this behavior when I discovered an abnormality in my DNS server and I discovered that it was able to answer requests from the external Internet.

Of course, I'm going to put in a third-party firewall now to deal with this mess, but given that Comcast basically forces IPv6 connectivity through the modem, you'd think they'd at least make the security work.

I tried to call in on Friday about it and was escalated to Advanced Repair. Advanced Repair emailed me this morning and said everything was working properly from my modem and they were able to reach the internet (OBVIOUSLY THEY DIDN'T EVEN READ OR UNDERSTAND THE TICKET).

I tried to call back in, but was hung up when I tried to explain the difference between IPv4 and IPv6.

Official Employee

 • 

17 Messages

3 m ago

Hi there @jaredmcq I hate to hear about the issues you're having with getting a resolution IPv6 firewall issues, but I can definitely take a look into this further for you. Please send us a Live Chat with your first and last name as well as your service address so we can assist. 
 
To send a Live Chat, click the Peer to Peer chat icon at the top right of the page and enter Comcast Business in the "To" section of the chat.

New Contributor

 • 

2 Messages

3 m ago

I opened a chat and they were able to confirm what I was seeing -- making changes to the IPv6 firewall configuration makes no difference.  Even at the "Standard" setting, IPv6 is unfiltered.

I confirmed that even RDP on TCP 3389 is unfiltered, so the leading cause of network compromise right now is left publicly accessible on all systems immediately behind a Comcast Business Gateway in the Comcast default installation.

Comcast not only opens the door for hackers, they wedge it open by not even letting you turn off IPv6 in the gateway.

My ticket has been escalated again. Waiting the "up to 3 business days" to see what support says.

(edited)

Official Employee

 • 

18 Messages

I am glad it is being worked on and we definitely want to make sure of a solution. If you need further help, reach out.