XFinity – Port Forwarding – Need app for security settings

Appp for security settings

Port 25 is blocked – which I guess isn’t a good sign

What is xFi Advanced Security?
xFi Advanced Security gives added peace of mind for your home network by preventing you from inadvertently visiting malicious sites or downloading dangerous files, as well as blocking remote access to smart devices from known dangerous sources. Advanced Security monitors devices real-time and will alert you when devices are behaving in unusual ways that could indicate a network threat. It will also adapt to your home network and get smarter over time to keep up with new threats.

How do I access Advanced Security features in xFi?
Advanced Security is available to Xfinity Internet subscribers who rent one of the following compatible xFi Gateways (Arris TG1682G, Cisco DPC3941T, Arris TG3482G, Technicolor CGM4140COM, Technicolor CGM4331COM, Commscope TG4482A or Arris X5001).

If you haven’t already, download the Xfinity app or visit the xFi website ( Once you log in, you can turn on and access Advanced Security features (security status and threat details) from the Overview and Connect sections. To learn more, visit how to get started with xFi for details.

(Please note that Advanced Security will not be available if your Gateway is in bridge mode or if you have a Cisco DPC3939 model.)

Set Up Port Forwarding Using Xfinity xFi

This article explains how to set up port forwarding using the Xfinity xFi site ( and app for mobile devices.

See Xfinity xFi Overview for additional information about getting started with xFi.

How Does Port Forwarding Work?

Similar to a wall in your home, your Wireless Gateway keeps out potentially harmful risks from the Internet, while opening doors or "ports" for safe Internet traffic.

Some applications require a designated port in order to work properly, and that's where port forwarding comes in handy. Port forwarding is also commonly used for:

  • Video games
  • Some email applications like POP3
  • Instant messaging
  • Video conferencing
  • Peer-to-peer file sharing
  • Remote computer access
  • Phone service that leverages voice over IP technology

Note: Customers with xFi Gateways can only set up and adjust Port Forwarding settings using the Xfinity app or xFi website. Customers with Xfinity Gateways that are not xFi Gateways can continue to set up and adjust Port Forwarding settings through the Gateway's Admin Tool ( For more information on setting up Port Forwarding using the Gateway’s Admin tool please see Set Up Port Forwarding on Your Xfinity Gateway

How to Add a Port Forward

  1. Visit or open the Xfinity app and sign in with your Xfinity ID and password.

  2. Select Connect

  3. Select See Network

  4. Select Advanced Settings under More.

  5. Select Port Forwarding from the menu.

  6. Select Add Port Forward.

  7. Choose the household device for the port forward you are setting up from the drop-down list of connected devices.

    Note: If you don't see the device listed, it may be because the device is not connected to your home network, it’s using an IPv6 address, or has a static IP set in the Gateway Admin Page.

  8. Choose from the list of common applications to use a recommended, preset configuration (e.g., Xbox or PlayStation) or select Manual Setup to enter specific port numbers, ranges and/or protocols.

    Note: If you are unsure what port settings to choose, reference the device manual or the application you are trying to use. Opening unnecessary ports is not recommended, as it poses a security risk.

  9. Select Apply Changes to complete the setup of the port forward.

  10. The device you set up for this port forward can now use these settings.

xFi Port Forwarding & IPv6

At this time, xFi only supports port forwards to be set up for devices with an IPv4 address. If the device is connected to your network, but not showing as an available device in the dropdown, it could be because it’s using an IPv6 address. For dual stack devices (has both an IPv4 and IPv6) check with the device manufacturer on how to disable the IPv6, or set the IPv4 as "Preferred".

xFi Port Forwarding & Static IPs

With xFi, you no longer need to set a static IP for devices you wish to port forward. xFi port forwarding relies on the devices getting an IP address from the DHCP. When adding a port forward, xFi will use the IP address from DHCP to set the static MAC bind and establish the port forward rule. If you are unable to set a port forward for a device that is using a static IP, remove the static IP in the Gateway Admin Tool and then try again.

xFi Port Forwarding & MAC Randomization Features

If you enable a MAC randomization feature on a device that you have established port forward rules for in xFi, it's possible those rules will break when the device's MAC address changes. If this happens, you’ll need to log into xFi to delete the old rule and then recreate the rule for the active device entry in the list.

Advanced Security and Port Forwarding

If Advanced Security detects a known threat targeted for the device with Port Forwarding, DMZ settings enabled or UPnP open ports, it will block all traffic coming from its open ports as a measure of protection until threat is averted. If you are unable to access a device from outside your home network, you have two options:

  • Allow Access – Go to the Connect section in the Xfinity app or xFi website, select Advanced Security and then select the device you want to provide access to. Follow the instructions to Allow Access. We recommend that you only use Allow Access when you are confident about who is accessing the device from outside the home network. Note that the Allow Access feature will only permit access to the specific device you choose on the specified port using a specific source IP address for 30 days from the time you enable it.
  • Disable Advanced Security: Alternatively, you can choose to disable the Advanced Security feature. We do not recommend that you disable Advanced Security, as this removes Advanced Security's protections from all of your devices. If you need access to a specific device, we recommend you keep Advanced Security turned on and follow the steps above to Allow Access on a device-by-device basis.
Advanced Security and UPnP Settings

Your xFi Gateway defaults to UPnP enabled, allowing it to discover all UPnP enabled client devices, such as network printers, laptops, and streaming devices. UPnP automatically opens and closes ports to support these devices, and that may expose your network to similar risks as with Port Forwarding or DMZ settings enabled. You can disable UPnP device discovery through your Gateway’s Admin Tool ( > Advanced > Device Discovery, but that may impact the functionality of your UPnP devices.

Blocked Internet Ports List

Find out which ports are blocked by Xfinity and Comcast services, and why.

Ports on the internet are like virtual passageways where data can travel. All information on the internet passes through ports to get to and from computers and servers. When a certain port is known to cause vulnerability to the security and privacy of your information, Xfinity blocks it to protect you.

Find the Reasons for Blocking Listed Below

Port Transport Protocol Direction Downstream/ Upstream to CPE Reason for Block IP Version
0 TCP N/A Downstream Port 0 is a reserved port, which means it should not be used by applications. Network abuse has prompted the need to block this port. IPv4/IPv6
25 TCP SMTP Both Port 25 is unsecured, and Botnet spammers can use it to send spam. This does not affect Xfinity Connect usage. We recommend learning more about configuring your email settings to Comcast email to use port 587. IPv4/IPv6
67 UDP BOOTP, DHCP Downstream UDP Port 67, which is used to obtain dynamic Internet Protocol (IP) address information from our dynamic host configuration protocol (DHCP) server, is vulnerable to malicious hacks. IPv4
135-139 TCP/UDP NetBios Both NetBios services allow file sharing over networks. When improperly configured, ports 135-139 can expose critical system files or give full file system access (run, delete, copy) to any malicious intruder connected to the network. IPv4/IPv6
161 UDP SNMP Both SNMP is vulnerable to reflected amplification distributed denial of service (DDoS) attacks. IPv4/IPv6
445 TCP MS-DS, SMB Both Port 445 is vulnerable to attacks, exploits and malware such as the Sasser and Nimda worms. IPv4/IPv6
520 UDP RIP Both Port 520 is vulnerable to malicious route updates, which provides several attack possibilities. IPv4
547 UDP DHCPv6 Downstream UDP Port 547, which is used to obtain dynamic Internet Protocol (IP) address information from our dynamic host configuration protocol (DHCP) server, is vulnerable to malicious hacks. IPv6
1080 TCP SOCKS Downstream Port 1080 is vulnerable to, among others, viruses, worms and DoS attacks. IPv4/IPv6
1900 UDP SSDP Both Port 1900 is vulnerable to DoS attacks. IPv4/IPv6

RELATED ARTICLESWhy is Port 25 for Email Submission Not Supported?What is Comcast Doing About Spam?How to Set Up Your Comcast Email Address with an Email ProgramBlock Internet Ports from Your Router