Comcast XFINITY → [Connectivity] Comcast blocking 80/443? [SOLVED]

I have a couple of systems on my local net that I access remotely. They have been accessible for years and, suddenly, I can't get to them. Is Comcast now blocking 80/443 now?

I haven't tried any alternate ports yet but that is next.

If they were blocking port 80 you wouldn't be able to get to a single web-site...
not even this one. Did your IP address change by chance?

I mean inbound connections, not outbound, sorry. I am trying to reach my servers from outside my network. I have always been able to do this except in the past few days. I can't pinpoint exactly when it started but it was no more than two weeks ago that I was OK.

What I meant was Comcast (or any ISP) is not going to block the default ports for the http and https protocols, in either direction. It would "break the internet" - at least as far as websites go. What software are you using to connect to your servers remotely, and are they Linux servers or Windows servers? And do you connect by IP address or some other method?

When you connect to a website, the destination port is typically 80 or 443 (http, https). But, the source port is a random high port.

So, an ISP could block 80/443 inbound to a residential customer to prevent them from running a dreaded server/website and everything else (general web connectivity) will work just fine.

Pretty sure if this happened there would be more than one person posting about it... just sayin.

All of the incoming connections are by either HTTP (80) or HTTPS (443). I serve a web page with little on it and an audio streaming server (sourced off my radio scanner). Those are the two that are important to me. The internal connection is to an HAPROXY server which performs the reverse proxy to redirect to the appropriate data server. A connection from inside my network to the HAPROXY server works flawlessly and an external connection to that server used to work flawlessly until recently. I tried a curl request from an external system I have access to and the connection on port 80 or 443 times out. I have verified on the router that the ports are properly forwarded.

Tomorrow I will try setting the modem to redirect a different pair of ports (above 1024) to the HAPROXY server to see if that will get through.

I suppose that the router could be lying to me too, That isn't unthinkable, so a router reboot is in order too.

I posted here to see if anyone else has experience a sudden loss of connectivity which doesn't seem to be the case. I didn't know if Comcast/Xfinity had had a policy shift that would cause them to block the ports. I do know that the TOS does not allow running "servers" on a non-business connection but these hardly qualify as "servers" as there is only one user, me.

Yup. I'll keep digging.

You've rebooted everything right?

Unless your connection is business, Comcast can block whatever they want. I thought they explicitly banned running servers on a residential account.

Per the Comcast TOS (and that of many other ISP's), running a webserver on residential service is forbidden, so the appropriate ports are blocked, and your machines got caught up in it. If you are running a website on these machines, don't do that, or upgrade to business internet. If this is remote access, choose a different port (this is recommended regardless).

Your assumption that the "appropriate ports are blocked" is incorrect. It is true that the TOS disallows "servers" but Comcast, in its history, has not blocked either port 80 or 443 incoming. They MAY have started doing so and are quite allowed to do so but this would be a recent change and would surprise me if they did.

My purpose for this post was NOT to complain about any blocking but to inquire as to whether Comcast has actually implemented a block. I know full well how to get around said block.

So far all I have received are platitudes regarding whether my "servers" violate any TOS or not. I did not ask that question, I know the answer. If you have some information on any policy implementation that is new on Comcast's part I would love to hear it.

My little web server runs just fine on a residential account. Always has..

So the ports are NOT blocked by default..

DO you have access to an external linux server? You could start with a tcptraceroute to first make sure the request is making it to you router.

What OS is you internal web server running on? Maybe load wire shark on that server to see if the request is even making it to the server.

After a router reset the ports are now working again. This is the first time that the router has done that and I haven't updated the firmware in a few months. I also opened a different, high, port to test against in future.

Thanks, you are the first person to give me the kind of answer I was looking for!

Just curious what router platform you are using? Weird that it dropped the port forwarding/NAT rules. There might be a firmware update for that.

I had TWC before they merged with Charter. I have AT&T fiber now. Ports 80 and 443 are open on both inbound. 25 was on TWC. Not sure about AT&T.

And I'm with you. TOS preventing servers are so outdated. The term "server" no longer applies like it used to and could be (should be) redefined. Even in the legal sense. All kinds of devices and applications have "servers" on them to set them up and configure them. VOIP adaptors and phones, routers, printers, security cameras, NAS boxes, and much more. You are still connecting to them like a server, just not sharing them with the whole world wide web.

Who is an ISP to say you can't connect to your stuff from the outside where there is nothing inherently illegal or damaging about it for personal, residential use. You are paying for internet service both ways. The phone service they sell allows folks t to call in just the same as calling out.

It is probably more appropriate to limit residential service by number of connections or something that would distinguish it from high volume business use. If you have a ton of inbound connections, then it's probably business use. Google and Microsoft do something like this with free email accounts. Heavy use gets you flagged for business use.

What ever the method, it needs to be clearly defined what you get with your service and what's blocked. If anything is blocked, it should say clearly so you can compare providers.

Comcast, the ISP of the OP provides a list of blocked ports:

»www.xfinity.com/support/ ··· ed-ports

A big thanks for that list link - good to have on file.

Maybe we should lobby to have said info on the service purchase sheet, like we do with pharmacy meds, car built sheets, and numerous other products.

Yay! More regulations to publish things the vast majority won't read...mostly because they have no clue what it means.

One price of a functional free market is disclosure of what, precisely, it is that your money is buying. That you personally, or even most people, choose not to read the full terms does not negate that need. If anything it emphasizes the need for stronger regulation of claims made in advertising copy and more vigorous enforcement of those already on the books.

Hm, I could swear SNMP hadn't been on their block list in the past. That one is really annoying.

SNMP has been on the list as long as I can remember.

SNMP has been blocked for almost 2 decades by just about every cable provider. It allowed way too much info to be grabbed from cable modems and their monitoring systems.

Yeah, they have blocked it to their own equipment since time immemorial. I've only used Comcast for the past few years and probably just didn't notice, but neither at&t nor Cox blocked outbound SNMP requests from or inbound replies to the user's network (as opposed to the modem) when I was using them previously. In the days before cheap VPSes, it would have been a big deal to me.

Not that the justification of allowing users to see too much information makes a lick of sense. It's not like reasonable SNMP implementations have no means to filter which OIDs are returned based on the supplied community string, network interface, or other criteria. It would be pretty damn handy if signal stats, byte counters, and the other stuff available on the modem's web interface were available over SNMP, actually. Heaven forbid we actually get to use our own equipment as we please.

.

He has an appliance that he connects to at home...now your TOS is fixed since I didn't call it a "server". No biz account needed for personal use.

Point is, the word "server" on TOS is arbitrary. Just about everything is a "server" these days.

Any security camera you can connect to directly without involving a third party web site (usually with a monthly subscription fee) is technically a "server". Stopping people from connecting to their own equipment like that is going to be very unpopular and won't really buy Comcast anything in terms of bandwidth. It will actually use more bandwidth if the user's equipment needs to upload everything instead of just the videos that the user actually looks at from an outside connection.

Ditto for Comcast blocking port 25/tcp incoming. I used to have Google forward all my mail to an SMTP listener. Comcast blocked that so now I poll Google a dozen times an hour to check on mail. The net result, much more network traffic (and a much longer delay to notice that I have mail.) It isn't really saving them anything.

Just got back to this ... I have an ASUS RT-AC1900 with up-to-date firmware (back only 1 version) and I've never had this happen before. ASUS does have some problem with memory leakage I think but it's mostly under control at this point I believe. And the issue hasn't recurred since it corrected itself.