With the Comcast IP gateway, you will be able to prevent unauthorized access to or from a private network and block Internet users from accessing private networks connected to the Internet, especially intranets or LANs.

The Comcast IP gateway incorporates a stateful packet inspection firewall. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

With the gateway you can also support network address translation (NAT), allowing several hosts to share one public IP address for Internet access.

Firewall options

You can disable portions of the gateway firewall by selecting one of the following options. Remember that disabling part of your firewall opens holes for possible threats. Only disable those options required by your network setup.

  1. Check Disable Firewall for True Static IP Subnet Only to disable all firewall functionality for devices assigned an IP from the static IP subnet.
  2. Check Disable Gateway Smart Packet Detection to disable the threat detection feature for all devices connected to the gateway.

Port configuration

Port configuration rules are used to block or redirect specific traffic passing through from one side of the Comcast Gateway to the other. The traffic is managed by blocking or redirecting certain traffic, based on the port numbers that the traffic is using. Port numbers are assigned to specific network or Internet services:

  • HTTP, or Web, traffic uses port 80 or 8080
  • HTTPS, or secure, traffic uses port 443
  • SMTP and POP, or e-mail, traffic use ports 25 and 110

Inbound rules (from the Internet to your LAN) manage access for outsiders to private resources, selectively allowing outside users to access specific resources on your private LAN (for example mail, Web, or FTP server).

Outbound rules (from computers or users on your LAN to the Internet) determine what outside resources local users can have access to and are covered in the port blocking section.

The three firewall rules that can be configured to parse inbound traffic are:

  • Port Forwarding (inbound)
  • ​Port Triggering (inbound)
  • True Static IP Port Management (inbound)

The following firewall rule can be configured to parse outbound traffic:

  • Port Blocking (outbound): Enables you to restrict specific local hosts from accessing particular Internet applications.

Port forwarding

By defining an inbound rule, port forwarding can open a window so that incoming traffic can be directed to your computer. The rule tells the gateway to direct inbound traffic for a particular service to one local device, based on the destination port number.

This feature is used primarily for devices on your local network that can be accessed from the Internet. The Enable box must be checked to enforce a specific port forwarding rule.

Before implementing port forwarding, consider the following:

  • If the IP address of the local server PC is assigned by DHCP, it may change when the PC is restarted. To avoid this, you can assign a static, private IP address to your server by manually configuring the server’s IP settings.
    • Be sure that the assigned IP is outside the range of DHCP addresses set on the Comcast Gateway but in the same subnet as the rest of your LAN.
  • Local computers (devices on the same subnet) must access the local server using the computers’ local LAN address (10.1.10.x, by default) instead of the public IP used to access it from external connections. Attempts by local computers to access the server using the external WAN IP address will fail.
    • ​Remember that allowing inbound services opens holes in your firewall. Only enable those ports that are necessary for your network.

To add a new port forwarding rule:

  1. Select Add new. The Port Forwarding add/edit screen will display.
  2. In the Application Name field, enter an application name to identify this rule.
  3. Enter the port number range in the Public port field. The assignable ports are between 1 and 65535. The numbers should match whatever is required for the applicable service being forwarded (for example, http traffic will use port 80 by default). Users on the Internet will use the public port to connect to the LAN device for which you are creating this forwarding rule.
  4. Enter the first port of the port range in the Private port field. The assignable ports are between 1 and 65535. The private port is the port on the LAN PC, where this rule will forward traffic. Typically this will match the public range, but may differ in some cases.
    • For example, SMTP traffic for email typically uses ports 25 and 110, but the mail server on the LAN can be configured to listen for requests on alternative ports. In these cases, the public ports will be set to the ports that the traffic type uses by default while the private port range will be set to match the needs of the server. The size of the private port range must match the size of the public port range and is automatically calculated for you.
  5. Select the appropriate protocol from the Protocol drop-down menu (TCP, UDP, or both).
  6. Enter the IP address of the device you want the traffic to be forwarded to in the IP Address field. If the destination device is connected to a router which connects to the Gateway, forward to the router IP, then create another forwarding rule in the router to the destination device. Select Connected Computers to locate the IP addresses of the devices connected to the Gateway.
  7. Select Apply. The new port forwarding rule will display in the port forwarding table.

To edit an existing rule:

  1. Select the rule from the port forwarding rule table, and select edit. The Port Forwarding add/edit screen will display.
  2. Edit the rule as needed.
  3. Select Apply.

Static IP port management

Static IP port management allows you to restrict inbound traffic to computers within your local network by IP address and logical port number.

The Enable box must be checked to enforce a specific rule. The True Static IP Port Management rules table can be set up to either block all ports but allow exceptions, or to allow all ports to open but block exceptions.

You can also override the true static IP port management rules by checking the Disable all rules and allow inbound traffic through the box.

To add a new static IP port management rule:

Select add new. The True Static IP Port Management add/edit screen will display.

  1. Enter an application name to identify this rule in the Application Name field.
  2. Enter the logical port range in the Port Range fields.
  3. Select the appropriate Protocol from the drop-down menu.
  4. Enter the true static IP address range in the True Static IP Range fields (select Connected Computers to view the IP addresses of the computers connected to your gateway).
  5. Select Apply. The new static IP port management rule will be added to the port management table.

To edit an existing rule:

  1. Select the rule from the True Static IP Port Management rule table, and select edit.
  2. Edit the rule as needed.
  3. Select Apply.

Web site blocking

The gateway provides a variety of options for blocking Internet-based content and communications services. With its content-filtering feature, the gateway can prevent objectionable content from reaching your PCs. You can set up to 10 rules.

Key content-filtering options include:

  • Blocking access from your LAN to Internet locations that contain key words that you specify.
  • Blocking access to Web sites that you specify as off-limits by URL.

Setting Up Web Site Blocking

You can block Web sites based on a keyword or a specific Web site address. For example:

  • If you enter “,” only that address is blocked; if you enter only “example,” then all Web addresses containing that word are blocked (e.g.,,,
  • If the key word “.com” is specified, only Web sites with other domain suffixes (such as .edu or .gov) can be viewed.
  • Enter the key word “.” to block all Internet browsing access.

To set up Web site blocking:

  1. Check Enable Web Site Blocking.
  2. In the New Key Word/URL field, enter either the full Web site address or enter a key word.
  3. Select Add. The key word or Web site address will appear in the Blocked Key Words/URLs list.

To remove entries from the list:

Highlight the entry you want to remove and select Remove or clear the entire list by selecting the clear list.

Trusted computers allow you to exempt any connected computers from the Web site blocking rules.

To build a list of trusted computers:

Do one of the following:

  1. Select Connected Computers and select a computer from the Connected Computers table by checking the Add box. Select Apply.
  2. Enter the MAC address of one of the computers in your LAN in the New Computer MAC Address field. Select Add.

The MAC address of the computer you selected will appear in the Trusted Computer List.

To remove a computer from the Trusted Computer List:

  1. Select the computer’s MAC address from the Trusted Computer List.
  2. Select Remove.

To enable Web site blocking, select Apply.

Setting Up a Web Site-Blocking Schedule

The Web site-blocking schedule allows you to apply your Web site-blocking rules at different times of the day or week. For example, workers on a particular shift may not need Internet access.

To set up a Web site-blocking schedule:

  1. In Days of the Week, select the day or days to which you wish to apply Web site blocking.
  2. In Time of Day, select either All Day, or choose a start time (e.g., 2 p.m.) and an end time (e.g., 6 p.m.) to which you want to apply Web site blocking.
  3. Select Apply.


This feature is commonly used for gaming and videoconferencing – applications that will not function through NAT. The DMZ (demilitarized zone) allows a selected computer to bypass the firewall features of the gateway and permits unrestricted access from the Internet to that computer.

Note: For security, you should avoid using the DMZ feature when not needed. When a computer is designated as a DMZ server, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network.

Incoming traffic from the Internet is normally discarded by the gateway unless the traffic is in response to one of your local computers or a service that you have configured in the port forwarding or port triggering menu. Instead of discarding this traffic, you can have it forwarded to one computer on your network. This computer is called the DMZ host.

To assign a computer or server to be a DMZ host:

  1. From the main menu under Firewall, select DMZ.
  2. Check Enable DMZ Host.
  3. Enter the IP address of the LAN PC that you wish to place in the DMZ. Or select Connect Computers and select a computer from the connected computers table.
  4. Select Apply.

To disable the DMZ Host, uncheck the Enable DMZ Host box and select Apply.