And you thought Comcast couldn't get any worse

[HCHTech]

I have a 2-person attorney's office as a client that works from his home. He has Comcast residential internet, and we have a Sonicwall installed (yes, double-NATing), behind which are his two business computers and a Synology. HIs helper works from her home and VPNs into the Sonicwall for access to the company files on the NAS.

He lost internet last Friday, and after rebooting everything to no avail, called Comcast. They ended up factory-resetting his Comcast gateway, which erased our port forwarding, so the VPN stopped working, and the Sonicwall lost internet.

We now know that they pushed a firmware update to his Comcast gateway, a Cisco DPC3941T. Since he still had internet service through the Comcast gateway, I had him connect his laptop there so I could remote in and troubleshoot.

First of all, neither the default credentials or the previous config credentials we had for the Comcast gateway would let us in. It took 3 manual factory resets with the button before the default credentials would work again. Once we got in, we found that the DHCP reservation we had made for the Sonicwall was somehow still there, odd. Next, we found out that you can no longer define a port forward in the gateway inteface. Instead of the normal settings, there is this cheery message:

Entering Port Forwarding is now easier than ever! Just go to [link] and log in with your Xfinity account"

Um, ok. So, we did that, and there we found an online version of an almost complete set of configuration pages for the gateway. Including a list of connected devices, the wifi setup, and port forwarding.

The port forwarding setup would not let you specify an IP address to forward the traffic to, it only gave you a drop-down list of detected devices, which, you guessed it, did not contain our Sonicwall.

We fought with this unorganized, painful and slow interface for about 2 hours to get our Sonicwall to show up on the list of detected devices. I guess the firmware update that translated the settings that used to be on the gateway itself to the online interface needs some work.

After we could see the Sonicwall on the list of allowable devices for port forwarding, we found that the function did not work. This process seems like they didn't really think it through. When you create the forward, you pick the device, then click next and you get "port forward successfully added". But wait, I didn't tell you which ports! The forward that was created defaulted to port 1. You then have to edit it to specify which port you really wanted. Obnoxious.

Then we noticed that once the forward was created correctly, it didn't work. It said it was forwarding traffic to the named device, but in fact it was going to the wrong IP address. More fighting with this ensued, but ultimately the solution was to make the system forget the device altogether and then redetect it. For reasons known only to Comcast, you cannot "forget" a device that is still seen as active, so we had to disconnect the device from the network, then wait about 15 minutes for that change to be noticed by the online interface. Once it was on the "inactive" list, we could forget it. Then we plugged it back in again, waited the 15 minutes again, found it on the active list again and now, finally, a port forward would actually work as intended.

Time budgeted for this job: 30 minutes. Time spent: 3.75 hours. WTF Comcast?

BTW, I did take this opportunity to remind him that if he had the business internet service I recommended we wouldn't have had to go through all of this nonsense, but he's rather save the $200/mo and live with it. Me, not so much.

 

[Sky-Knight]

Your mistake was supporting a VPN terminator behind a NAT device. That's been a terrible idea for 20 years. The Comcast device can function as a bridge... do it.

As for his "savings" after your bill burns up the last year's worth of it, he should be singing a different tune.

The other alternative is to abandon VPN entirely, and use more modern tools... but that depends on the specific processes involved. What does he use the VPN for?

TLDR, this wasn't Comcast's fault, it was yours for using a broken process.

 

[YeOldeStonecat]

We work with a ton of different ISPs across several states, gotta say...Comcast is an easy one to work with. Granted...we really work with the "business" product, not the residential. Different support departments...the biz one is always US based.

Double NAT'ing behind the residential gateway...ack...put on your sneakers and run! You can still bridge those ones.

 

[HCHTech]

Yes, the residential internet sucks. We didn't push bridging the gateway because they use its "outside the firewall" connection for all of their household devices. We really need to reconfigure everything to build a guest VLAN so we can bridge the gateway and put all traffic through the firewall, but it has worked the way it is for longer than I've been his tech, so he is reticent to change, and I haven't really pushed it beyond the reminder that a rework is in his best interest once a year or so. I had pitched moving his data to sharepoint last year, in fact, but he's old-school and wasn't really interested. So, broken process or not, it works for them and they have rejected suggested changes more than once. I have a feeling I'll be nursing this configuration along until he retires in 4 or 5 years...

 

[Sky-Knight]

@HCHTech Then you've done your part, bill him for the time! And enjoy making a fat wad off his stupidity and inflexibility.

 

[NJW]

Yes, the residential internet sucks.

... for commercial use – no surprise there. Just because it used to be nicely configurable, doesn't mean it's going to stay that way. (Does commercial use not contravene the terms of service?)

Then you've done your part, bill him for the time! And enjoy making a fat wad off his stupidity and inflexibility.

Exactly this. No discounts (no reason for you to subsidise his poor decisions) and make sure that the invoice details the hoops you had to jump through. Saving $200/mo comes at a price. Conversely, he has saved enough to pay your going rate.

 

[Your PCMD]

I dont know how Comcast works, but here where I am, we have Suddenlink. My home internet is amazing, 1Gig speed is awesome. The problem is their shi**y equipment. But I solved that by ditching their equipment and bought my own so I control and have all access to everything from the drop line into my home. Have all Ubuquiti - USG Pro 4, switches, AP'd, etc. I've done a few homes the same way over the past few weeks because people are working from home, all without a hitch.

It seems that something like that could be done for you client? Ditching the Comcast equipment, etc.

 

[HCHTech]

(Does commercial use not contravene the terms of service?)

Considering the number of techs on these very forums who run their businesses out of their homes and use their residential internet, I just assumed it was allowable! /snark

Yup, he's getting a full bill, I may be a lousy salesman, but my invoicing skills are top notch. And @Your PCMD is correct, that using a non-comcast modem would alleviate this nonsense. My only point of this whole post was to point out a difference in how their equipment is working, so what used to be a 20-minute excercise now needs a whole afternoon. Finally, there are plenty of residential reasons to forward ports, btw - Fortnite, anyone? ...and dozens of other games.

 

[Sky-Knight]

@HCHTech I am home based, and yet... I have a commercial pipe!

The support response alone makes it well worth it, it's hard to be an IT guy when your junk is down!

Now, I don't think there's any TOS violations here, at least there wouldn't be with any of the ISPs I've ever worked with. But, since my home office is connected to COX what do I get for being on a commercial pipe?

1.) A static IP address with the ability to get more (handy, but not essential)
2.) NO PORT FILTERING, utterly essential for me to do my job. I need to be able to run port scans to audit client's perimeters, not to mention run my own services here if I wish.
3.) Superior support and repair windows. Cox has a FOURTEEN DAY, read that...14 days... TWO WEEKS to repair an engineering issue for a residential connection. So if you report a problem, and it's outside your house, you might be waiting TWO WEEKS for it to get fixed. The better part... Engineering doesn't have to tell you they've fixed it. So you're just wondering... WTF is going on... My commercial SLA demands they get their carcasses out in 24 hours, repair time of no more than 4 days, AND notifications.

Number 3 is the big one for me, downtime on our gear makes us look bad. I have no idea how anyone can be in this industry without stable Internet backed by a solid service agreement. It just looks bad.

 

[HCHTech]

@Sky-Knight , I concur. I also have business internet at my home for my business, for all of the reasons you state. My 150/150 FIOS connection with a block of 5 static IPs sets me back $250 per month, but it's well worth the expense. I also have a Comcast residential hookup, which I use for all of my home traffic, plus failover for my business, but in 3 years, it's never failed over - So far at least, I've never had a FIOS outage.

The other big thing you didn't mention is NO data caps on the business service. In fact, that was the first thing that basically forced my upgrade to business service - I was having to be very careful not to exceed the Comcast data caps as my business grew. I bit the bullet, got business service and never looked back.

 

[Sky-Knight]

@HCHTech Ahh yes, I had forgotten about the caps. But that's also true.