Cloudflare Anycast IPs being blocked by comcast ASBR

I've already attempted to report this issue via Assistant/chat and over a voice call but apparently gaining zero traction or not getting to the correct level of support . During the voice call to support the representative said give it 4 to 6 hours and it should be resolved. I didn't have much hope in the statement considering the first thing the person did was restart my modem... 

First of all this is not a home network issue, it's at least 8 hops away from my home network. Using a VPN from my home network is not blocked. Also proved that using VZW home internet is not blocked. Obviously true since the traffic is taking same route to to the site. Also forced a home IP change to prove out it's not just my IP - CF dashboards would reveal that if that was the case anyway.

Issue: I have a site hosted in another cloud provider and use Cloudflare services to front it. Cloudflare places Anycast IPs in front of sites for protection and to improve performance. In my mind these are essentially like a reverse proxy where there are several 100s, 1000s? sites behind the pair of IPs. These IPs were working prior to 19-March - ever sense then reaching a site behind them just times out.

I have not received any statement that these are blocked by reputation, I have checked with SPA and they reported no blocks. These are Cloudflare Anycast IPs and are used by many CF customers, not a dedicated resource. Plus there is now way to force a site to use a different set of IPs w/o an enterprise plan.

Based upon tracing it's quite clear that there is a border router that is causing the issue in Roseville MN - identified by asbrXX. Perhaps only impacts twin cities comcast subscribers? TBD as I don't have a means to test from a different comcast household.

Suspicion that both 172.67.165.172 and 104.21.11.83 are being blocked / null-routed and must be a /32 block rule as other anycast IPs in the same CIDR range are open.

https://www.cloudflare.com/ips/ as you can see these IP ranges are quite large - I have scanned 10 to 20 surrounding the non working ones and confirmed surrounding IPs work (see below).

172.64.0.0/13 --> 172.64.0.1 - 172.71.255.254
104.16.0.0/13 --> 104.16.0.1 - 104.23.255.254

Running mtr  -w -c 10 -i 1 -4 172.67.165.172:

Start: 2026-03-26T18:02:21-0500
HOST: router                                             Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 10.27.32.2                                        0.0%    10    8.0   9.2   8.0  10.8   0.8
  2.|-- po-309-351-rur201.maplegrove.mn.minn.comcast.net  0.0%    10    9.9  10.9   8.7  16.0   2.3
  3.|-- bundle-2019-tcr04.maplegrove.mn.minn.comcast.net  0.0%    10   11.8  12.2   9.8  15.0   1.8
  4.|-- 68.85.201.121                                     0.0%    10    9.4  11.0   9.4  12.6   1.1
  5.|-- bundle-3061-ccr201.roseville.mn.minn.comcast.net  0.0%    10   11.3  11.4   9.4  13.0   1.1
  6.|-- bundle-2100-tcr01.roseville.mn.minn.comcast.net   0.0%    10    8.9  11.4   8.9  15.2   1.9
  7.|-- bundle-2068-asbr02.roseville.mn.minn.comcast.net  0.0%    10   11.6  10.3   9.1  11.7   1.0
  8.|-- ???                                              100.0    10    0.0   0.0   0.0   0.0   0.0

small range test, only .172 fails

for i in {165..180}; do 
    if ! ping -q -c 1 -W 1 172.67.165.$i > /dev/null; then
        echo -e "\nFAILED: 172.67.165.$i"
        ping -q -c 1 172.67.165.$i
    fi
done

FAILED: 172.67.165.172
PING 172.67.165.172 (172.67.165.172) 56(84) bytes of data.

--- 172.67.165.172 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Running mtr  -w -c 10 -i 1 -4 104.21.11.83:

Start: 2026-03-26T18:04:04-0500
HOST: router                                             Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 10.27.32.3                                        0.0%    10   10.5  12.8   9.7  17.3   2.7
  2.|-- po-309-352-rur202.maplegrove.mn.minn.comcast.net  0.0%    10   12.2  12.2  10.1  19.5   2.8
  3.|-- bundle-2022-tcr03.maplegrove.mn.minn.comcast.net  0.0%    10   14.0  13.6  11.4  17.8   2.0
  4.|-- 68.85.201.117                                     0.0%    10   13.5  14.4  11.8  21.0   3.1
  5.|-- bundle-3061-ccr201.roseville.mn.minn.comcast.net  0.0%    10   11.0  13.8  10.9  22.4   3.9
  6.|-- bundle-2102-tcr03.roseville.mn.minn.comcast.net   0.0%    10   10.8  12.3  10.8  14.8   1.4
  7.|-- bundle-2066-asbr01.roseville.mn.minn.comcast.net  0.0%    10   10.9  12.7   9.9  15.9   2.0
  8.|-- ???                                              100.0    10    0.0   0.0   0.0   0.0   0.0

small range test, only .83 fails

for i in {75..85}; do 
    if ! ping -q -c 1 -W 1 104.21.11.$i > /dev/null; then
        echo -e "\nFAILED: 104.21.11.$i"
        ping -q -c 1 104.21.11.$i
    fi
done

FAILED: 104.21.11.83
PING 104.21.11.83 (104.21.11.83) 56(84) bytes of data.

--- 104.21.11.83 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Example of a site with working CF anycast IPs in the same Anycast IP CIDR 

Running mtr  -w -c 10 -i 1 -4 172.67.133.25:

Start: 2026-03-26T18:05:39-0500
HOST: router                                             Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 10.27.32.3                                        0.0%    10    9.5   9.9   8.1  14.4   1.9
  2.|-- po-309-352-rur202.maplegrove.mn.minn.comcast.net  0.0%    10   12.3  12.7   8.6  20.9   4.2
  3.|-- bundle-2021-tcr02.maplegrove.mn.minn.comcast.net  0.0%    10    9.5  11.8   9.5  18.1   2.6
  4.|-- 68.85.201.113                                     0.0%    10   14.7  12.9   9.7  20.9   3.5
  5.|-- bundle-3061-ccr201.roseville.mn.minn.comcast.net  0.0%    10   13.3  13.4   8.8  19.1   3.1
  6.|-- bundle-2102-tcr03.roseville.mn.minn.comcast.net   0.0%    10   12.2  12.6   9.3  16.3   2.4
  7.|-- bundle-2066-asbr01.roseville.mn.minn.comcast.net  0.0%    10    9.4  12.4   9.4  17.2   2.6
  8.|-- be-1001-ar-sp01.roseville.mn.minn.comcast.net     0.0%    10   10.8  12.7  10.0  20.3   3.1
  9.|-- be-2101-ar-ex01.roseville.mn.minn.comcast.net     0.0%    10   13.4  13.7  10.1  16.9   2.5
 10.|-- ???                                              100.0    10    0.0   0.0   0.0   0.0   0.0
 11.|-- 172.67.133.25                                     0.0%    10   12.0  13.5   9.7  18.7   3.1

Running mtr  -w -c 10 -i 1 -4 104.21.16.168:

Start: 2026-03-26T18:06:48-0500
HOST: router                                             Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 10.27.32.3                                        0.0%    10    9.7  12.4   8.0  19.3   3.3
  2.|-- po-309-352-rur202.maplegrove.mn.minn.comcast.net  0.0%    10   14.2  13.7  10.4  16.6   2.3
  3.|-- bundle-2021-tcr02.maplegrove.mn.minn.comcast.net  0.0%    10   15.9  12.1  10.0  15.9   1.9
  4.|-- 68.85.201.113                                     0.0%    10   14.5  14.0  10.9  16.9   2.1
  5.|-- bundle-3061-ccr201.roseville.mn.minn.comcast.net  0.0%    10   10.9  15.1  10.9  27.1   5.2
  6.|-- bundle-2103-tcr04.roseville.mn.minn.comcast.net   0.0%    10   14.6  14.4  10.7  18.4   2.7
  7.|-- bundle-2079-asbr04.roseville.mn.minn.comcast.net  0.0%    10   10.8  15.8  10.8  19.0   2.8
  8.|-- be-1004-ar-sp04.roseville.mn.minn.comcast.net    20.0%    10   12.9  13.0   9.9  15.9   1.9
  9.|-- be-2401-ar-ex01.roseville.mn.minn.comcast.net     0.0%    10   17.0  16.8  12.8  22.7   3.0
 10.|-- ???                                              100.0    10    0.0   0.0   0.0   0.0   0.0
 11.|-- 104.21.16.168                                     0.0%    10   18.1  15.8  12.2  21.2   3.0

As you can see the last two tests successfully make it to their destination without timing out.