pfsense openvpn won't connect from certain cable providers ?
-
@Gertjan said in pfsense openvpn won't connect from certain cable providers ?:
This means I have to add a firewall WAN rule for every incoming connection.
Your not wanting to say you have to remove the rfc1918 block are you? Even if pfsense as rfc1918 wan, ie behind a nat. That block rfc1918 rule only blocks source of rfc1918.. It wouldn't stop some traffic that is coming from say 1.2.3.4 hitting your isp router, that you port forward to your pfsense wan. Unless your isp device was doing source natting and making that traffic look like it came from its rfc1918 address.
The block rfc1918 rule on the wan only needs to be removed when the "source" of the traffic would be rfc1918, it doesn't block traffic if the source is public and your pfsense wan is rfc1918. Ie pfsense behind some upstream nat router.
BTW - your pass rules, why are you using dest "this firewall" this would include all pfsense IPs, for stuff like openvpn this should really only be your pfsense wan address..
-
Thank you, I was just trying other settings thought maybe I missed something. I am just trying everything I possibly can to get this working. Any thoughts on the modem going bad? (Armstrong swears by it that everything is just like every other company. However they are the only one that will not connect.)
-
@pfchangs77 if your having an issue with someone connecting, to any service really on pfsense. First thing I would do is a sniff of the traffic (packet capture).. If pfsense never sees the traffic - doesn't matter if you have some service listening or firewall rules to block or allow, etc. Pfsense can do nothing wrong or right with the traffic if not actually being seen.
So start a packet capture under the diagnostic menu.. Send your traffic from your source client - do you see it hit pfsense? If not then there is pfsense can do with or about that traffic..
-
I did the new one everything seems fine so far.
-
@pfchangs77 well if can talk to one then your sure your getting to that one.. 1st thing to do in troubleshooting something not working, be it you can't access some service on pfsense, or some port forward through pfsense is not working is validation that pfsense is actually seeing the traffic.. Like I said if pfsense never sees the traffic - nothing you do on pfsense is going to get it to work..
-
sorry that first message I edited incorrectly. Yes no logs no nothing from armstrong. However Tmobile, verizon, spectrum and the everything else works and the list goes on just fine.
log just looks like this - (and for the record I am currently connected to the new through spectrum basically) I also did check through all the logs in the opvn and no connections not even errors where they wouldn't connect from armstrong in https://pfsense/status_logs.php?logfile=openvpn
13:49:30.356812 ARP, Request who-has xxx tell xxx length 46
13:49:30.361777 ARP, Request who-has xxx tell xxx, length 46
13:49:30.363927 ARP, Request who-has xxx tell xxx length 46
13:49:30.367753 ARP, Request who-has xxx tell xxx length 46
13:49:30.382785 ARP, Request who-has xxx tell xxx length 46
13:49:30.382854 IP xxx > xxx: ICMP echo request, id 37374, seq 24048, length 9
13:49:30.390667 IP xxx > xxx: ICMP echo reply, id 37374, seq 24048, length 9
13:49:30.401786 ARP, Request who-has xxx tell xxx, length 46 -
@pfchangs77 I think you've said several times it works from some ISPs and not other ISPs. Correct?
So either the outgoing ISP (remote end) is blocking it, or the incoming ISP is blocking it from that outgoing ISP. It can't be anything in the pfSense config if the same clients can connect from other locations. Unless you have that pfSense blocking connections for some other reason (Suricata, pfBlocker list, etc.).
-
correct, It connects fine from every single isp I have tried everything from home modems to mobile phone teathering coffee shops etc. I think I am up to 17 different providers. As of now only thing I can't get through on is armstrong cable.
And nothing like Suricata, pfBlocker. Its a stock machine basically. I thought maybe I had a setting incorrect somewhere too. I have even went as far as trying different routers and taking them over. However there is a old pfsense machine on (spectrum) that will let me connect from armstrong and thats why I was thinking its a setting.
However the new pfsense machine is on armstrong to but I can connect fine from the other 17 different providers, but just not any device with another armstrong connection. Maybe something is conflicting there?
And yes I agree I think it something that armstrong is blocking with the out going to >> the new pfsense machine. However armstrong isn't blocking the out going >> old pfsense machine on spectrum because I can connect to it.
-
@pfchangs77 again a 10 second sniff would validate that pfsense is either seeing it or not seeing it.. if not seeing then you no for fact that something upstream is blocking it.. Either at the sender source, or something in your isp above pfsense, or something between.. It would take all of like 30 seconds tops to validate if pfsense is seeing it or not..
-
With the sniff I provided above that didn't help with anything? (I am not sure exactly what you are looking for with the sniff.) I have never had any issues with any other pfsense I setup before. I apologize for my ignorance on this one.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
I am not sure exactly what you are looking for with the sniff.
The sniff test will proof that traffic reaches pfSense.
You'll be looking the packets coming in, and check for the presence of the IP your are using with the OpenVPN client.Example : you have a OpenVPN UDP port 1195 open on the WAN. You have a firewall rule on WAN with these settings :
- WAN
- Using protocol UDP
- on port 1195.
Start the sniff.
Now, start the OpenVPN client on a device, also connected to WAN (== the Internet which means no Wifi active on that device).
If the sniffer starts to show incoming packets, and the source IP of these packets have the IP of the device you are using with the Openclient you know now that traffic reaches from this device reaches pfSense.
Which means the traffic reaches the OpenVPN server.If no traffic comes in, locate the WAN cable on pfSEnse, and then follow this cable upstream. You might be needing your car to find the device where your traffic got stuck.
-
gottcha thank you, I provided the incorrect sniff packet. I will do that then go from there. thank you. And follow up from there.
Also one last thought, is there any tool I can use from the other end? when I am at the persons house that has the armstrong cable?
-
@pfchangs77 You can sniff to make sure it goes on the wire there..
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
I am at the persons house that has the armstrong cable?
Aha !
You mean you're visiting some one, use their Wifi and you discovered that your outgoing connections are "limited" ?Ask the house admin if he is using pfSense or comparable / firewall router. Ask if he is filtering his 'public' wifi connection (because of kids and so).
Public data network don't block VPN.
People, @home with their Wifi, they always block VPN "so junior can't activate a VPN so he can watch the youp*rn without daddy knowing it".This would explain your ".... won't connect from certain cable providers ?".
Easy, simple solution : use your phone and VPN access with the data carrier of your phone operator. If local available wifi works, fine. If it doesn't, no big deal neither.
-
You mean you're visiting some one, use their Wifi and you discovered that your outgoing connections are "limited" ?
Yes correct outgoing is limited. Armstrong cable swears by it nothing is blocked. Armstrong says everything should work fine with pfsense.
As for the router at the house we reset I brought over other ones that worked fine at other locations. We can access the vpn fine by going through the phone carrier which is Verizon and tethering the phone.
-
@pfchangs77 So at this location that doesn't work - there is only the isp device, no other router at play.. Only isp gear?
Can you even ping pfsense wan IP from this location? You would have to allow for icmp on pfsense wan - it is not allowed out of the box.
-
I never did try to ping it but I will put it on my list the next time I go out. As for the isp, we did straight cable modem to pc too. I am having some others try with armstrong too hopefully find out something here in a bit, and I am going to try the sniffers with other Armstrong cable connections too
-
So tried other armstrong homes and all the other news seems to be working.... Old modems maybe?
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
we did straight cable modem to pc too
Cable modem - not a gateway.. You got a public IP when you plugged in to this device, and you had to reboot the device..
What is the make and model of this device.. There is sometimes a disconnect with terms.
There are really 3 terms.
Modem, Gateway and Router.
A modem is just that - a modem.. cable it has coax coming in and then normally only 1 ethernet port out. New ones can have more.. Mine has 2 for example - one is 1 gig, and other support 2.5ge.. Mine is a Arris S33. This is just a modem!
Then there is a gateway.. This is modem/router combo. It has the modem build right in, then normally has like 4 switch ports and wifi..
Then there is just a router.. This is wifi and switch ports - but you need a modem, be that cable modem or dsl, etc..
A modem there is really going to be no way a user could filter anything. ISP can set them up to filter, for example smb is almost always blocked.
Now a gateway or router can have features that allow the user to block, do qos, etc etc. Feature set depending on the firmware running on the device. Gateways are normally limited in their feature set, and you can not normally update the firmware. Now just a "router" can normally have more features - and if you run 3rd party firmware on them like dd-wrt, or openwrt etc.. even more features. But gateways almost never have the ability to run 3rd party firmware because its really 2 devices the modem and router in 1 box.
Part of the confusion comes from stupid makers calling their devices that are really "gateways" modems.. If your device is doing wifi - it sure and the hell is not a "modem" for example.. it could be a gateway, or it could be a router - but its not just a "modem"
example - there they are calling them wifi modems - BS ;) its a damn gateway.. Stop using Modem in the name if it more than a modem - call it a "gateway"
https://www.surfboard.com/products/wi-fi-cable-modems/
-
I'm pretty sure it was just a modem, not a router or switch or anything like that.
There was a nighthawk router hooked up to it. I even brought over other routers and same model of the nighthawk which and the same exact nighthawks that worked at other locations that worked absolutely fine too.Maybe Armstrong has some funky settings on the back end? (As for the modem I didn't look I will try to find out what model it is, before they replace it.)
haha oh yes I have seen those too modem/gateway etc haha call it the wrong thing that drives me nuts too.
