Is ISP blocking all ports?
-
@compprobsolv said in Is ISP blocking all ports?:
I'm running telnet on my computer (different location) pointing to his IP
A PC somewhere on the Internet, not on a pfSense LAN ?
What is in front of pfSense ? An ISP router ?
What are your firewall WAN rules ? NAT rules ?
What is the WAN IP of pfSense ? Is it an RFC1918 ?A simple (just for a short time !!) test : Open the pfSense GUI web server port (80 and or 443, both TCP) with a firewall rule on the WAN port :
Now, take your phone, de activate (local) Wifi access ( !! ), use the carrier data, start a browser and go to http://your-wan-ip ( or https://your-wan-ip ).
If the ISP doesn't block traffic on port 80/443 TCP, you should see the pfSense login screen on your phone.
-
You can go to www.grc.com and run a "ShieldsUp!" port scan to see what's happening. Any chance you're on CGNAT? If your ISP is using it, you don't have a hope of reaching your network.
-
I know Spectrum and WOW! block port 25 if you don't have their business service with static IP.
-
@mike115 said in Is ISP blocking all ports?:
WOW! block port 25
Why would you connect to 'some where' using port 25 ?
Outgoing connections using port 25 work, but you have to use the (IP° mail server of your ISP.
Port 25 was used for sending mail, one or two decades ago. These days, it's 587 or better : port 465.Block incoming : This means you can't run your own mail server 'in house'.
Block outgoing : Same thing. [Any IP, destination port TCP 25] should only be used for mail server to mail server communication.
I don't a lot of people run their own mail server @home. -
@gertjan Port 587 and 465 and all those others are used for SMTP submission. Port 25 is still used for relay. Port 25 used to be used for submission as well as relay but ISPs block it now for most end points due to SPAM. If you ever want to host a mail server and receive E-Mail messages relayed from other big servers (i.e. Google, Yahoo, Microsoft, etc...) you need to have port 25 open to your mail server as none of those other servers will relay to 587 or any other port. Some people mention port 2525 as a non-standard relay, but in my experience this has not been the case.
-
@jknott
I've run ShieldsUp, but it doesn't appear to be helpful here. As I understand it (and generally confirmed with the test), it's testing to see if traffic on specific ports can get to the computer that is running ShieldsUp. On normal configurations, all ports should fail. This is not because the ISP prevents the communication but because the firewall prevents the communication. My issue is not being able to see the packets even get to the WAN side of the firewall.Just to confirm, I ran ShieldsUp on three computers: one in my office, one on the client's LAN, and one on a different client's LAN (where I CAN see the packets hitting the WAN side of the firewall). All three use different ISPs. In all cases, ShieldsUp showed no ports open.
I wasn't aware of CGNAT, but that sounds as a possibility. Is there a way I can test whether or not that is in place? The ISP (Spectrum) gave this link in response to a question about what they block: https://www.spectrumbusiness.net/support/internet/blocked-ports-0?cid=eml_ehh_380_0721 .
-
@gertjan
The PC was on an entirely separate network. Different location and different ISP.Regarding whether or not there is an ISP-provided router, I cannot be certain but have some clues. You may be on to something there.
I'm not on-site (very far away) so I'm going by answers from the client. I will confirm exactly what the WAN cable on the pfSense device connects to.The WAN port on the pfSense has a public IP address. If I do a tracert to 1.1.1.1 I come up with an "interesting" result. The time to the pfSense box is <1 ms, which is typical. The next hop has a time of 1 ms. That implies to me that it is local. That may be an on-site router. The next hop is 11 ms away, which is typical for a router at the ISP's location.
I will get more info about exactly what is connected to the WAN port. I'm most suspicious of an additional router being the issue.
The WAN rules are pretty simple: block bogon, block private, allow ports 987, 25, and 1194. The first two are likely left over from a previous installation and I'll disable them. The 1194 rule is one I created for the VPN.
The NAT rules are for destination ports 25 and 987.
The WAN IP of the pfSense is a public address; the first octet is 72.
I set up the rule you suggested with port 80. I tried browsing to http://<client public IP> from my office (different LAN, different ISP). I got a response that nothing was responding on the other end. I had Packet Capture running, but I think the only traffic I saw as initiated by computers on the client's LAN. I didn't see my external IP address anywhere in the capture.
-
Try opening a port and see if the port scan shows it. If it does, great. If not, it's blocked before it gets to you.
As for checking for NAT, compare your WAN address with what that port scan shows. It's displayed above all the ports that are checked. If they're different, you're behind NAT.
BTW, I trust your modem is in bridge mode, not gateway.
-
You should see incoming traffic in a pcap on WAN whatever the firewall rules are.
I would test with a different port though I could definitely imagine port 23 being blocked.
Steve
-
I haven't resolved the issue, but I think it has been clearly identified.
The client had stated that there was a modem between the WAN port on the pfSense device and the coax connection from the ISP. As it turns out, it was a modem/router.
We'll likely replace it with a simple router so we don't run into issues in the future. I'm not able to log into the modem/router at the moment for lack of a proper password. In any case, I think replacing it makes more sense in the long run.
Thanks to all for your help!
-
@compprobsolv You may not actually be able to do that, some ISPs require their modem/router on their internet connection. If you can, putting it into bridge mode will pretty much silence it and make it so that you can pass any and all traffic directly thru it and into your pfsense box. You have to find out, however, like has been stated above, if they are doing CGNAT, otherwise this exercise still won't work. You should be able to call them and ask these questions.
-
The ISP claims that the modem/router is in bridged mode. I've learned to be skeptical about such claims if I can't verify them. I've found techs to be wrong about this too many times.
We'll check on CGNAT.
-
Part of my reluctance to stay with the modem/router it twofold. I've dealt with ISPs where they didn't have a simple bridge mode and it took several settings to accomplish passing all traffic through. A lot of time can be wasted if a setting is missed. That goes away when there is a simple modem.
My second concern is that numerous times I've run into tech support telling the client to reset the modem/router without considering any programming (LAN IP, WAN IP, bridge mode, DHCP, forwarding, etc.) that may be present. If there is anything non-default, a whole new set of problems arise.
-
@compprobsolv I feel the same. I've got a Comcast business connection, and even though in the modem config screens there is a function to put the modem into bridge mode, I still had to call them and ask them to config it to always be in that mode. Didn't matter what I changed in the settings, it always went back to router mode.
Ever since that phone call, it's been just fine, and I can config pfsense to use it as a WAN interface with the Comcast static public IP address. They didn't actually call it bridge mode, it was something else, but I don't remember any more.
-
If the ISP modem/router is truly in bridge mode then I would expect pfSense to have a public IP on it's WAN.
If it has a private IP then something upstream is NATing. Either the modem/router is still routing (not bridged) or the ISP is applying CGN. Probably the former.Steve
-
@compprobsolv said in Is ISP blocking all ports?:
We'll check on CGNAT
Did you compare your WAN address with what www.grc.com shows?
-
@stephenw10
The pfSense device has a static public IP on the WAN interface. -
@stephenw10
Worked with the ISP today. The tech insists it is in bridge mode, though I'm skeptical about whether or not all packets are being passed through. They agreed to replace the modem/router with a real modem. -
@compprobsolv said in Is ISP blocking all ports?:
The pfSense device has a static public IP on the WAN interface.
That's fine then. Either it's actually bridged or it's routing that to you. Both are fine and should allow incoming traffic as long as the ISP is not filtering it.
Run a packet capture or just check the firewall logs after running the shields up test. You should see all the incoming connections from it.
ISPs do block some common ports like unencrypted email and telnet. Nobody should be using those anyway!
Steve
-
I wanted to follow up to finish this off.
After much effort with the ISP, it is clear to me that their system is blocking most incoming ports when a static IP is used. When we switch to DHCP (different service), there are no such issues.
We tried a simple modem (vs. modem/router) and the problems persisted.
Despite working with several techs at the ISP, I wasn't able to get any of them to acknowledge the problem itself, let alone resolve it.
The client has switched to a dynamic IP and we're making that work.
Thank you for your assistance!
