Is ISP blocking all ports?
-
Try opening a port and see if the port scan shows it. If it does, great. If not, it's blocked before it gets to you.
As for checking for NAT, compare your WAN address with what that port scan shows. It's displayed above all the ports that are checked. If they're different, you're behind NAT.
BTW, I trust your modem is in bridge mode, not gateway.
-
You should see incoming traffic in a pcap on WAN whatever the firewall rules are.
I would test with a different port though I could definitely imagine port 23 being blocked.
Steve
-
I haven't resolved the issue, but I think it has been clearly identified.
The client had stated that there was a modem between the WAN port on the pfSense device and the coax connection from the ISP. As it turns out, it was a modem/router.
We'll likely replace it with a simple router so we don't run into issues in the future. I'm not able to log into the modem/router at the moment for lack of a proper password. In any case, I think replacing it makes more sense in the long run.
Thanks to all for your help!
-
@compprobsolv You may not actually be able to do that, some ISPs require their modem/router on their internet connection. If you can, putting it into bridge mode will pretty much silence it and make it so that you can pass any and all traffic directly thru it and into your pfsense box. You have to find out, however, like has been stated above, if they are doing CGNAT, otherwise this exercise still won't work. You should be able to call them and ask these questions.
-
The ISP claims that the modem/router is in bridged mode. I've learned to be skeptical about such claims if I can't verify them. I've found techs to be wrong about this too many times.
We'll check on CGNAT.
-
Part of my reluctance to stay with the modem/router it twofold. I've dealt with ISPs where they didn't have a simple bridge mode and it took several settings to accomplish passing all traffic through. A lot of time can be wasted if a setting is missed. That goes away when there is a simple modem.
My second concern is that numerous times I've run into tech support telling the client to reset the modem/router without considering any programming (LAN IP, WAN IP, bridge mode, DHCP, forwarding, etc.) that may be present. If there is anything non-default, a whole new set of problems arise.
-
@compprobsolv I feel the same. I've got a Comcast business connection, and even though in the modem config screens there is a function to put the modem into bridge mode, I still had to call them and ask them to config it to always be in that mode. Didn't matter what I changed in the settings, it always went back to router mode.
Ever since that phone call, it's been just fine, and I can config pfsense to use it as a WAN interface with the Comcast static public IP address. They didn't actually call it bridge mode, it was something else, but I don't remember any more.
-
If the ISP modem/router is truly in bridge mode then I would expect pfSense to have a public IP on it's WAN.
If it has a private IP then something upstream is NATing. Either the modem/router is still routing (not bridged) or the ISP is applying CGN. Probably the former.Steve
-
@compprobsolv said in Is ISP blocking all ports?:
We'll check on CGNAT
Did you compare your WAN address with what www.grc.com shows?
-
@stephenw10
The pfSense device has a static public IP on the WAN interface. -
@stephenw10
Worked with the ISP today. The tech insists it is in bridge mode, though I'm skeptical about whether or not all packets are being passed through. They agreed to replace the modem/router with a real modem. -
@compprobsolv said in Is ISP blocking all ports?:
The pfSense device has a static public IP on the WAN interface.
That's fine then. Either it's actually bridged or it's routing that to you. Both are fine and should allow incoming traffic as long as the ISP is not filtering it.
Run a packet capture or just check the firewall logs after running the shields up test. You should see all the incoming connections from it.
ISPs do block some common ports like unencrypted email and telnet. Nobody should be using those anyway!
Steve
-
I wanted to follow up to finish this off.
After much effort with the ISP, it is clear to me that their system is blocking most incoming ports when a static IP is used. When we switch to DHCP (different service), there are no such issues.
We tried a simple modem (vs. modem/router) and the problems persisted.
Despite working with several techs at the ISP, I wasn't able to get any of them to acknowledge the problem itself, let alone resolve it.
The client has switched to a dynamic IP and we're making that work.
Thank you for your assistance!
-
@compprobsolv said in Is ISP blocking all ports?:
their system is blocking most incoming ports when a static IP is used
Wow, that's completely backwards, at least to me. If you're paying for a static IP (don't know if they are or not) you should at least be able to get into your internal network from the outside, using almost any port you need. Strange stuff...
-
@akuma1x
Not really.
Static IP == easier DNS handling - no need to deal with DynDNS.
But why using an static IP if you can't access it ... right, this is strange.
Even openvpn won't work ?Guess @CompProbSolv found himself a new reason to ditch an ISP.
-
@compprobsolv what would be the point of static IP if your inbound is blocked, agree with other comments doesn't make any sense.
Only scenario where it would make sense is if you were sending mail from the ip, and need to be able to set a PTR on the IP, etc. But the common need of a static IP is for inbound traffic.
-
@johnpoz said in Is ISP blocking all ports?:
@compprobsolv what would be the point of static IP if your inbound is blocked
That's the issue exactly. This is the first time I've run into an ISP that blocks many (most) ports on a static IP service.
-
@compprobsolv But they let some through?
-
@gertjan said in Is ISP blocking all ports?:
Even openvpn won't work ?
No. I can't set it up as the packets from the client never make it to the public side of the firewall. I've confirmed that through WireShark, monitoring OpenVPN, and other means.
-
@compprobsolv simple way to see if any traffic is hitting your wan is just packet capture in pfsense. Under diagnostics, you could do an online nmap scan to see what ports are open if any. Or simple shields up over on grc.com while you doing a packet capture would tell you what parts are getting to your wan.
