Is ISP blocking all ports?
-
@compprobsolv You may not actually be able to do that, some ISPs require their modem/router on their internet connection. If you can, putting it into bridge mode will pretty much silence it and make it so that you can pass any and all traffic directly thru it and into your pfsense box. You have to find out, however, like has been stated above, if they are doing CGNAT, otherwise this exercise still won't work. You should be able to call them and ask these questions.
-
The ISP claims that the modem/router is in bridged mode. I've learned to be skeptical about such claims if I can't verify them. I've found techs to be wrong about this too many times.
We'll check on CGNAT.
-
Part of my reluctance to stay with the modem/router it twofold. I've dealt with ISPs where they didn't have a simple bridge mode and it took several settings to accomplish passing all traffic through. A lot of time can be wasted if a setting is missed. That goes away when there is a simple modem.
My second concern is that numerous times I've run into tech support telling the client to reset the modem/router without considering any programming (LAN IP, WAN IP, bridge mode, DHCP, forwarding, etc.) that may be present. If there is anything non-default, a whole new set of problems arise.
-
@compprobsolv I feel the same. I've got a Comcast business connection, and even though in the modem config screens there is a function to put the modem into bridge mode, I still had to call them and ask them to config it to always be in that mode. Didn't matter what I changed in the settings, it always went back to router mode.
Ever since that phone call, it's been just fine, and I can config pfsense to use it as a WAN interface with the Comcast static public IP address. They didn't actually call it bridge mode, it was something else, but I don't remember any more.
-
If the ISP modem/router is truly in bridge mode then I would expect pfSense to have a public IP on it's WAN.
If it has a private IP then something upstream is NATing. Either the modem/router is still routing (not bridged) or the ISP is applying CGN. Probably the former.Steve
-
@compprobsolv said in Is ISP blocking all ports?:
We'll check on CGNAT
Did you compare your WAN address with what www.grc.com shows?
-
@stephenw10
The pfSense device has a static public IP on the WAN interface. -
@stephenw10
Worked with the ISP today. The tech insists it is in bridge mode, though I'm skeptical about whether or not all packets are being passed through. They agreed to replace the modem/router with a real modem. -
@compprobsolv said in Is ISP blocking all ports?:
The pfSense device has a static public IP on the WAN interface.
That's fine then. Either it's actually bridged or it's routing that to you. Both are fine and should allow incoming traffic as long as the ISP is not filtering it.
Run a packet capture or just check the firewall logs after running the shields up test. You should see all the incoming connections from it.
ISPs do block some common ports like unencrypted email and telnet. Nobody should be using those anyway!
Steve
-
I wanted to follow up to finish this off.
After much effort with the ISP, it is clear to me that their system is blocking most incoming ports when a static IP is used. When we switch to DHCP (different service), there are no such issues.
We tried a simple modem (vs. modem/router) and the problems persisted.
Despite working with several techs at the ISP, I wasn't able to get any of them to acknowledge the problem itself, let alone resolve it.
The client has switched to a dynamic IP and we're making that work.
Thank you for your assistance!
-
@compprobsolv said in Is ISP blocking all ports?:
their system is blocking most incoming ports when a static IP is used
Wow, that's completely backwards, at least to me. If you're paying for a static IP (don't know if they are or not) you should at least be able to get into your internal network from the outside, using almost any port you need. Strange stuff...
-
@akuma1x
Not really.
Static IP == easier DNS handling - no need to deal with DynDNS.
But why using an static IP if you can't access it ... right, this is strange.
Even openvpn won't work ?Guess @CompProbSolv found himself a new reason to ditch an ISP.
-
@compprobsolv what would be the point of static IP if your inbound is blocked, agree with other comments doesn't make any sense.
Only scenario where it would make sense is if you were sending mail from the ip, and need to be able to set a PTR on the IP, etc. But the common need of a static IP is for inbound traffic.
-
@johnpoz said in Is ISP blocking all ports?:
@compprobsolv what would be the point of static IP if your inbound is blocked
That's the issue exactly. This is the first time I've run into an ISP that blocks many (most) ports on a static IP service.
-
@compprobsolv But they let some through?
-
@gertjan said in Is ISP blocking all ports?:
Even openvpn won't work ?
No. I can't set it up as the packets from the client never make it to the public side of the firewall. I've confirmed that through WireShark, monitoring OpenVPN, and other means.
-
@compprobsolv simple way to see if any traffic is hitting your wan is just packet capture in pfsense. Under diagnostics, you could do an online nmap scan to see what ports are open if any. Or simple shields up over on grc.com while you doing a packet capture would tell you what parts are getting to your wan.
-
@johnpoz said in Is ISP blocking all ports?:
But they let some through?
Yes. I can see packets on port 443, for example, but not on 444 or on 1194. If I do the same test with the dynamic IP, I can see 1194 and just about any other port I try.
I was incorrect when I stated "We tried a simple modem (vs. modem/router) and the problems persisted". Looking at my notes, this ISP (Spectrum) won't allow a modem to be used on their static IP service. It has to be their modem/router which they claim to put in bridged mode to pass everything.
just packet capture in pfsense
I had actually started with that as my test. When I couldn't see the packets arriving, I swapped the firewall out with a computer (using the public IP address on the computer's NIC) and used WireShark to confirm. I'm getting the same results (both successes and failures) with WireShark that I'm getting with the packet capture on the pfSense.
shields up over on grc.com
I believe that I did try this. It has been some months since we move past this project so I'm not certain.
While I appreciate your input, my reason for posting today was to clean up the post and state how I worked around it. We concluded that either we switch to a dynamic IP (which we did, with a standalone modem before the pfSense box) or switch ISPs. The client wasn't ready to switch ISPs at this point. We can work around the dynamic IP well enough.
Thank you again for your comments.
-
@compprobsolv no problem - didn't mean to drag out the thread ;)
I sure you have your fill of the isp nonsense, did you send them your test results showing clearly ports not getting to your device when using the static..
Shame some of these isp can be so clueless sometimes, you for sure would need to escalate this up the support model to level 2 or even level 3 to get someone that has even an idea what your talking about ;)
At least you found a work around, so guess they can save whatever $ they were spending extra for the "static" ;)
-
@johnpoz said in Is ISP blocking all ports?:
did you send them your test results showing clearly ports not getting to your device when using the static
I sent them detailed reports with very specific comments about what did and did not work.
I was told it was escalated to level 2, but never was able to talk to a tech who seemed to have a clue. The common response was "we set up the modem/router correctly, it should work", despite the fact that each tech said that the last one didn't quite get it right.
I never did speak to anyone (or hear second-hand) at the ISP who acknowledged that there really was a problem.
It was all rather frustrating! I finally told my client that I didn't see us getting it resolved with that ISP.
