MT6000/Flint2 Setting Up Port Forwarding on Xfinity

I'm trying to setup port forwarding. I'm unsure if the port forwarding from the internet is being block by the ISP (xfinity) or if I have it misconfiguration settings in the Flint2 Router.

Diagram:

Computer on Internet --> Xfinity --> Cable modem (Arris SurfBoard Model: S33) --> Router Flint2 (Firmware v4.6.8)--> Computer on my network hosting an Apache webserver on port 80.

Port Forwarding docs from GL.iNet:

Settings:
Xfinity settings:
Unknown - there doesn't seem to be a way to setup port forwarding if you do not have one of their cable modems. Tech support has been unhelpful.

Xfinity port forward directions:

1. xFi Users (xFi Gateway) Using Xfinity app <-- suggested to click WiFi in app and go to "Advanced Settings". The only options are Troubleshoot and WiFi Hotspots if you are not using their equipment.

2. Non-xFi Xfinity Gateway User (Xfinity Gateway): <-- suggest to use Admin Tool if you have an Xfinity Gateway. The URL http://10.0.0.1/ times out if you do not.

Note: According to Xifinity documents port 80 is not a blocked port:

Arris SurfBoard Model: S33 Settings:
There are no port forwarding settings since this is strictly a cable modem

Flint2 Settings:
Log in Admin Panel
Network/Port Forwarding/Add New Port Forwarding Rules
Protocol: TCP/UDP
External Zone: WAN
Internal Zone: LAN
Internal IP 192.168.8.171 <-- USB Wifi IP of Computer on my network,
<-- connected to Flint2
Internal Port: 80
Description: Apache Server on port 80

To Open ports on the WAN I believe I also have open up a TCP/UDP port 80 here:
System/Security/Open Ports on Router
Protocol: TCP/UDP
Port: 80
Description Apache Server

I did notice that I can not ping the router unless
System/Security/Remote Access Control
Allow Ping from WAN <-- slider is on, it is currently in the off position.

Testing:
From the internet I am getting a time out message when I enter the Public IP of my network. So the outside computer is not connecting to my network.
I typed in "What's my IP" into a search engine to find out what my Public IP is.

When I connect a computer to the Flint2 (home network), I am able to enter in the Public IP and connect to my webserver's index page.

Using a port forward testing tool and entering in my Public IP I receive the message that "Port 80 is closed on XX.XXX.XX.XX".

Conclusions:
Port 80 is being blocked either by the ISP (Xfinity) or a setting in the GL-MT6000/Flint2?

I hope this is clear and thank you for the help!

Hi,

Please have some tests:

1. In the LAN of the Flint 2, is the phone/PC can access the Apache 80 Web page? To ensure that the Apache 80 is available.
2. The Cable modem only is as modem bridge, right? is the PPPoE dial in the Flint 2 and the public IP is in the Flint 2 WAN? or what device has the public IP?
3. If the port 80 shows closed, means that the device which has public IP, have not open the port 80, please check the firewall rule again.

Tried to answer this on my phone first, that didn't work well.

Hi bruce:

1. Within the LAN a computer is able to access the Apache 80 Web page by both using a direct IP to the computer with Apache on it and by using the Public IP address. However a computer is outside of the LAN can not access the Apache 80 Web page.
2. Correct the Cable modem is only a modem bridge. The PPPoE tab in the Flint2 is not being used and is blank. Under Internet Connection/Ethernet, DHCP is the only one of the 3 tabs that has any entries on it. I do not see the public IP address listed in the Flint 2 router settings anywhere. I believe that the public IP is sent to the cable modem from the Xifinity internet connection (ISP). All the devices on the LAN come back with the same public IP, that is the public IP address sent to the Cable modem. I am able to find the public IP by going to the internet and typing "what's my IP" in a search engine. I believe this is dynamic address that can change, but it hasn't changed in at least a week while I've been testing.
3. There is no longer a Network/Firewall option in the v4.6 router software. The Port Forwarding and DMZ features have been moved under Port Forwarding. The Open Ports feature has been moved to Security. I did find some Port Forwarding options under System/Advanced Settings in the LuCI link.

Since the public IP is in the Xifinity ISP modem as you said, so the MT6000 and modem both require enabling the port forwarding. The modem is not the 'modem bridge', the public IP is in the WAN of the modem.

the network path of outside of the LAN is
Apache 80 -> MT6000 80 -> Modem 80 -> Internet -> Phone/PC
So not only open the port forwarding in the MT6000, but also the modem.

Port forwarding also in the Network

image1284×895 53.2 KB

Im also struggling to open a single port in a similar setup, so ALL devices on LAN can get access through that one port. There was a simple setting in GUI for this but now I don't see it.

Please elaborate what you mean by "ALL devices" - single port = single device.

Any device connected to the router on lan side via cable or via wifi. Only way I can get it to work now, is to create a rule using each devices IP address.

I had it working before but I can't remember how I got it working.

This is impossible.

Port forwarding is always a 1:1 connection, so you need to create a rule for each device.

If im running a torrenting app on the router it self and I want to open a port 51544 for the torrenting app. How do I do that?

See Open Ports on Router

/facepalm

Its under security! Of all the places in the settings, it had to be under security?
Thats what I was looking for. Thank you!

Hi bruce:

Let me clarify, I am not using any Xifinity ISP modem or equipment inside my house. But rather the Xifinity internet comes into my house via my personal ARRIS S33 cable modem then goes to my MT6000 by way of an Ethernet cable.

I can't find any IP address's listed in the ARRIS S33 DOCSIS 3.1 Cable Modem settings. You are correct it doesn't look like cable modems have or need a bridge mode. It looks like Cable Modems are simply "pass through devices". There is not a way to enable port forwarding on a cable modem that does not have a router built into it. I download the ARRIS app as well to see if there were any additional settings and there are not any.

I did find the outside IP address listed in the MT6000/Flint2 it was under Internet/Ethernet 1! As you stated above "the public IP is in the WAN of the modem."

Ethernet11365×686 88.6 KB

Port Forwarding: In the LAN I have the IP of the WiFi card that is being used with the Apache server entered here. These settings are found under Network/Port Forwarding. This is not the same IP as my public IP. When I tried to change my WAN 80 to the public IP 73.192.XXX.XX I received a message that stated the port range is from 1-65535. Where are you getting the 31011 from in your example?

PortForwarding1365×731 59.4 KB

Under System/Security/Open Ports On Router I have listed Port 80 as well.

Security1365×686 46.2 KB

You don't need to open ports for the modem, its wide open already.

Thanks Denisimo, that's good because there doesn't seem to be a way to open ports in a cable modem anyway!

Please keep in mind that cable is mostly CGNAT which makes it impossible to use ports from outside.

31011 means the OUTSIDE port, like in the outside, access [WAN IP]:31011 = access the internal service 192.168.10.165:80.
If it is CGNAT, these cannot be accessed from the outside.

Hi bruce:

Thank you for the link. It looks like I do have a public IP address. The IP Address (under Internet/Ethernet 1) matches the "what is my ip" search results.

Interesting thing happened. When I changed my Network/Port Forwarding WAN from 80 to 31011. I Next, entered in my public IP 73.192.XXX.XX from a computer outside my network. I'm now taken to the Admin page of the MT6000 router. So I am able to access my router settings from outside my network using my public IP address! Is there a way to bypass the MT6000 Admin login page and get port forwarding to work now from a computer outside my network?

PortForwarding310111365×740 59.5 KB

I also tried turning on the DMZ option and the public IP address just times out and I can not access my Admin router settings page.

I found a link on another site that shows how to check Windows 10/11 for CGNAT just to confirm. No CGNAT, yay!
https://winbuzzer.com/2020/05/29/windows-10-how-to-tell-if-your-isp-uses-carrier-grade-nat-cg-nat-xcxwbt/

Xifinity ISP in my area doesn't look like it is using CGNAT (Carrier Grade NAT).

I changed my Network/Port Forwarding WAN back from 31011 to 80. When I'm on my internal network (LAN) the Port Forwarding works as it should using either the public IP or the direct IP for the Apache server.

To get the WAN 31011 to work on the LAN the IP must be entered as follows since 31011 is not a default port. Example: 73.192.XXX.XX:31011/. If you just use 73.192.XXX.XX you get the router login Admin Panel page.

I'm starting to believe the issue lays in the Security/Open Ports On Router setting. Is Open Ports on Router really opening a port up on the WAN? When using the Public IP from outside the network I keep receiving "The connection has timed out" when WAN is set to port 80. When WAN is set to port 31011 I get the router's login Admin Panel. It seems that the computer outside the LAN network is getting blocked when the WAN port is set to 80.
I've tried:
73.192.XXX.XX
73.192.XXX.XX:80/
73.192.XXX.XX:31011/

Could there be some kind of port conflict happening on port 80? Are there any other settings that are needed to allow the outside computer to pass through?

Port Forwarding

PortForwarding1365×731 59.4 KB

Open Ports on Router

OpenPortOnRouter1365×686 47.3 KB

Test:
Used CanYouSeeMe

Received:
Error: I could not see your service on 73.192.XXX.XX on port (80)
Reason: Connection timed out

This isn't a valid test. Port forwarding can only be tested from outside your local network.

Afaik Xfinity blocks port 80, so no way you can use it.

Port forwarding and „Open ports on router“ are mutual exclusive. You only need port forwarding.

Please double check that your ISP allows you to open any port you want.