pfsense openvpn won't connect from certain cable providers ?
-
@pfchangs77 You can sniff to make sure it goes on the wire there..
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
I am at the persons house that has the armstrong cable?
Aha !
You mean you're visiting some one, use their Wifi and you discovered that your outgoing connections are "limited" ?Ask the house admin if he is using pfSense or comparable / firewall router. Ask if he is filtering his 'public' wifi connection (because of kids and so).
Public data network don't block VPN.
People, @home with their Wifi, they always block VPN "so junior can't activate a VPN so he can watch the youp*rn without daddy knowing it".This would explain your ".... won't connect from certain cable providers ?".
Easy, simple solution : use your phone and VPN access with the data carrier of your phone operator. If local available wifi works, fine. If it doesn't, no big deal neither.
-
You mean you're visiting some one, use their Wifi and you discovered that your outgoing connections are "limited" ?
Yes correct outgoing is limited. Armstrong cable swears by it nothing is blocked. Armstrong says everything should work fine with pfsense.
As for the router at the house we reset I brought over other ones that worked fine at other locations. We can access the vpn fine by going through the phone carrier which is Verizon and tethering the phone.
-
@pfchangs77 So at this location that doesn't work - there is only the isp device, no other router at play.. Only isp gear?
Can you even ping pfsense wan IP from this location? You would have to allow for icmp on pfsense wan - it is not allowed out of the box.
-
I never did try to ping it but I will put it on my list the next time I go out. As for the isp, we did straight cable modem to pc too. I am having some others try with armstrong too hopefully find out something here in a bit, and I am going to try the sniffers with other Armstrong cable connections too
-
So tried other armstrong homes and all the other news seems to be working.... Old modems maybe?
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
we did straight cable modem to pc too
Cable modem - not a gateway.. You got a public IP when you plugged in to this device, and you had to reboot the device..
What is the make and model of this device.. There is sometimes a disconnect with terms.
There are really 3 terms.
Modem, Gateway and Router.
A modem is just that - a modem.. cable it has coax coming in and then normally only 1 ethernet port out. New ones can have more.. Mine has 2 for example - one is 1 gig, and other support 2.5ge.. Mine is a Arris S33. This is just a modem!
Then there is a gateway.. This is modem/router combo. It has the modem build right in, then normally has like 4 switch ports and wifi..
Then there is just a router.. This is wifi and switch ports - but you need a modem, be that cable modem or dsl, etc..
A modem there is really going to be no way a user could filter anything. ISP can set them up to filter, for example smb is almost always blocked.
Now a gateway or router can have features that allow the user to block, do qos, etc etc. Feature set depending on the firmware running on the device. Gateways are normally limited in their feature set, and you can not normally update the firmware. Now just a "router" can normally have more features - and if you run 3rd party firmware on them like dd-wrt, or openwrt etc.. even more features. But gateways almost never have the ability to run 3rd party firmware because its really 2 devices the modem and router in 1 box.
Part of the confusion comes from stupid makers calling their devices that are really "gateways" modems.. If your device is doing wifi - it sure and the hell is not a "modem" for example.. it could be a gateway, or it could be a router - but its not just a "modem"
example - there they are calling them wifi modems - BS ;) its a damn gateway.. Stop using Modem in the name if it more than a modem - call it a "gateway"
https://www.surfboard.com/products/wi-fi-cable-modems/
-
I'm pretty sure it was just a modem, not a router or switch or anything like that.
There was a nighthawk router hooked up to it. I even brought over other routers and same model of the nighthawk which and the same exact nighthawks that worked at other locations that worked absolutely fine too.Maybe Armstrong has some funky settings on the back end? (As for the modem I didn't look I will try to find out what model it is, before they replace it.)
haha oh yes I have seen those too modem/gateway etc haha call it the wrong thing that drives me nuts too.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
Maybe Armstrong has some funky settings on the back end?
I would think unlikely - but what could be happening is they have an IP from their ISP range that isn't routing correctly to your IP.. Bad peering from some specific IP block of the isps? etc..
But your never going to know anything if you don't actually validate the traffic gets to you at all, nor if you can even ping your IP from this location, etc.
If you can ping your IP from this location, but not seeing the default 1194 UDP hit your IP via sniff, then setup your vpn to listen on say tcp 443.
Or just trying and open your IP from this location via https://yourip - do you see that in the sniff your doing on your end?
-
arris cm3200a is the modem I am looking into the specs too.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
cm3200a
that is just a cable modem, not modem/router gateway combo.
Docsis does have the ability to block traffic - as I mentioned smb is a big one that is blocked.. But udp 1194 for vpn.. That would be highly unlikely
Not sure why this thread is still going on.. I mean how hard is it ping your IP and sniff, or try and open your IP via https://yourip - have your buddy do it from his machine.. Do you see those packets hit your pfsense wan?
Those are thing any user can do, he doesn't need to craft a packet on udp, etc... This is a 30 second test.. You will know if the traffic getting to you are not.
-
Ping -
haha, as for why its going on, they do not even know what a modem is. I wish everyone could do it would make my life easier. The last time I asked someone to ping something they thought I was talking about pings chinese food. After a hour they finally understood I I didn't want chinese food but still didn't understand a ping, even with a few videos, messages etc. And the next time I'm out in that area I am going to try a ping not unless we figure out the issue sooner which I will keep this forum updated.Sniff -
Sorry I I thought I said up above I was going to try the sniff in the near future, and I only have so much free time with work going on, but I didn't say anything about the sniff this morning so I apologize for that. Last night did a bunch of sniffs. I did a bunch of sniffs last night while they were trying to connect. As for the sniff nothing was showing it was getting through at all for them.Modem -
As for the modem we are just going to have Armstrong cable replace it and go from there. If by any chance I can get out there sooner then I will login to the back end of the modem and look and surely try pings too. I will keep you posted. Thanks again from everyone for the support and help so far. -
@pfchangs77 replacing the modem isn't going to fix the problem of them being able to talk to your IP..
Them getting a different IP maybe...
Even if the guy is a complete and utter idiot when it comes to computers.. You can't walk him through opening a cmd prompt and typing in the command ping IPaddress?
Clearly he knows how to put an address into his browser..
-
Time is my enemy and its not a big super rush same with other people time is limited. But I surely appreciate the help and pointers so far.
-
So had our first great success with Armstrong. The first owner of the one modem called them to get it replaced and the tech support said oh you don't have to replace it, its blocked, we will unblock you. Took a 5 minute call and worked fine. So after roughly 35-40 tech contacts talking to 3 supervisors at the highest level got some mid range person and knew exactly right away it was blocked, and unblocked it. We can mark this solved.
thank you for everyone's help so far on this. Truly appreciated.
Anyone moving forward with stuff like this I suggest you go the route of viragomann do the packet sniff or a ping like johnpoz said if you can get to the other location and have time. Or if you can walk them through it too.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
its blocked, we will unblock
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
However armstrong isn't blocking the out going
I thought they weren't blocking ;)
-
I apologize I wasn't that descriptive, on the last message with armstrong.
this was the old pfsense machine >> "However armstrong isn't blocking the out going" (I think there was some settings in the old machine that were set that was able to sneek through the armstrong block)
this was the new pfsense machine >> "its blocked, we will unblock"
but its working everywhere now new pfsense machine and old pfsense machine, after armstrong did the unblock.
-
@pfchangs77 Your old pfsense was most likely using some other port, like the mention of running openvpn on tcp 443 vs the default udp 1194.. Literally 2 second look at your config on your "old" pfsense would of seen what port it was listening on..
20 day thread for something that could of been solved in like 2 minutes if just would of done a sniff and understood what port you were listening on ;)
-
Sorry I thought I did say I already I tried different ports too. Yes I wish I would have done the sniff earlier too. (The people don't know me as well so just showing up at there house etc and trying to figure out everything in between always makes it take a bit longer with the scheduling.) Plus the first thing I did was call armstrong among many other things, thought maybe I had something incorrectly. Again thank you for the help.
-
@pfchangs77 well the important thing is you got it sorted.
So amstrong is blocking 1194 udp? That is pretty shitty isp.. I could see blocking smb and or say smtp.. These are not things any home user should be using to connect to.. But in this day an age lots of users use vpn.. I would think they would have users leaving or complaining quite a bit..
