pfsense openvpn won't connect from certain cable providers ?
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
Maybe Armstrong has some funky settings on the back end?
I would think unlikely - but what could be happening is they have an IP from their ISP range that isn't routing correctly to your IP.. Bad peering from some specific IP block of the isps? etc..
But your never going to know anything if you don't actually validate the traffic gets to you at all, nor if you can even ping your IP from this location, etc.
If you can ping your IP from this location, but not seeing the default 1194 UDP hit your IP via sniff, then setup your vpn to listen on say tcp 443.
Or just trying and open your IP from this location via https://yourip - do you see that in the sniff your doing on your end?
-
arris cm3200a is the modem I am looking into the specs too.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
cm3200a
that is just a cable modem, not modem/router gateway combo.
Docsis does have the ability to block traffic - as I mentioned smb is a big one that is blocked.. But udp 1194 for vpn.. That would be highly unlikely
Not sure why this thread is still going on.. I mean how hard is it ping your IP and sniff, or try and open your IP via https://yourip - have your buddy do it from his machine.. Do you see those packets hit your pfsense wan?
Those are thing any user can do, he doesn't need to craft a packet on udp, etc... This is a 30 second test.. You will know if the traffic getting to you are not.
-
Ping -
haha, as for why its going on, they do not even know what a modem is. I wish everyone could do it would make my life easier. The last time I asked someone to ping something they thought I was talking about pings chinese food. After a hour they finally understood I I didn't want chinese food but still didn't understand a ping, even with a few videos, messages etc. And the next time I'm out in that area I am going to try a ping not unless we figure out the issue sooner which I will keep this forum updated.Sniff -
Sorry I I thought I said up above I was going to try the sniff in the near future, and I only have so much free time with work going on, but I didn't say anything about the sniff this morning so I apologize for that. Last night did a bunch of sniffs. I did a bunch of sniffs last night while they were trying to connect. As for the sniff nothing was showing it was getting through at all for them.Modem -
As for the modem we are just going to have Armstrong cable replace it and go from there. If by any chance I can get out there sooner then I will login to the back end of the modem and look and surely try pings too. I will keep you posted. Thanks again from everyone for the support and help so far. -
@pfchangs77 replacing the modem isn't going to fix the problem of them being able to talk to your IP..
Them getting a different IP maybe...
Even if the guy is a complete and utter idiot when it comes to computers.. You can't walk him through opening a cmd prompt and typing in the command ping IPaddress?
Clearly he knows how to put an address into his browser..
-
Time is my enemy and its not a big super rush same with other people time is limited. But I surely appreciate the help and pointers so far.
-
So had our first great success with Armstrong. The first owner of the one modem called them to get it replaced and the tech support said oh you don't have to replace it, its blocked, we will unblock you. Took a 5 minute call and worked fine. So after roughly 35-40 tech contacts talking to 3 supervisors at the highest level got some mid range person and knew exactly right away it was blocked, and unblocked it. We can mark this solved.
thank you for everyone's help so far on this. Truly appreciated.
Anyone moving forward with stuff like this I suggest you go the route of viragomann do the packet sniff or a ping like johnpoz said if you can get to the other location and have time. Or if you can walk them through it too.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
its blocked, we will unblock
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
However armstrong isn't blocking the out going
I thought they weren't blocking ;)
-
I apologize I wasn't that descriptive, on the last message with armstrong.
this was the old pfsense machine >> "However armstrong isn't blocking the out going" (I think there was some settings in the old machine that were set that was able to sneek through the armstrong block)
this was the new pfsense machine >> "its blocked, we will unblock"
but its working everywhere now new pfsense machine and old pfsense machine, after armstrong did the unblock.
-
@pfchangs77 Your old pfsense was most likely using some other port, like the mention of running openvpn on tcp 443 vs the default udp 1194.. Literally 2 second look at your config on your "old" pfsense would of seen what port it was listening on..
20 day thread for something that could of been solved in like 2 minutes if just would of done a sniff and understood what port you were listening on ;)
-
Sorry I thought I did say I already I tried different ports too. Yes I wish I would have done the sniff earlier too. (The people don't know me as well so just showing up at there house etc and trying to figure out everything in between always makes it take a bit longer with the scheduling.) Plus the first thing I did was call armstrong among many other things, thought maybe I had something incorrectly. Again thank you for the help.
-
@pfchangs77 well the important thing is you got it sorted.
So amstrong is blocking 1194 udp? That is pretty shitty isp.. I could see blocking smb and or say smtp.. These are not things any home user should be using to connect to.. But in this day an age lots of users use vpn.. I would think they would have users leaving or complaining quite a bit..
-
@johnpoz said in pfsense openvpn won't connect from certain cable providers ?:
So amstrong is blocking 1194 udp
I might guess some ISPs see inbound VPN ports as requiring a business account. I vaguely recall hearing VPN usage from a home account being an issue around the start of COVID quarantines.
I found out AT&T Business Fiber blocks outbound port 25 unless you ask them not to.
(เฒ _เฒ )Xfinity maintains a list: https://www.xfinity.com/support/articles/list-of-blocked-ports (which generally are not a problem)
-
@SteveITS said in pfsense openvpn won't connect from certain cable providers ?:
inbound VPN ports as requiring a business account
But this isn't an inbound block - maybe they are blocking that too.. But this is an outbound block from this armstrong house to his pfsense at some other location.
At least that was my understanding.
-
would be nice to know whats really going on. They never actually said what was blocked the other day.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
They never actually said what was blocked the other day.
Check their web site support pages ?!
If they block more then the classic "TCP destination port 25" (and NetBIOS
) they will have 'exceptions' listed in the contract or commercial documentation, otherwise they would have to invest heavily in the after sales and support department. -
Correct, however we did end up trying other armstrong customers around the area which worked fine too. So it doesn't explain why some armstrong customers do and some armstrong customers don't have it blocked. Because I know at least one account was a brand new account. Maybe some old feature? Haven't gotten a straight answer from them.
-
This is all I could come up with https://armstrongonewire.com/Support/Internet/Articles/PortFilter
And I asked many times. And when I spoke to the so called supervisors they told me they blocked nothing even though when I asked them about that web page - https://armstrongonewire.com/Support/Internet/Articles/PortFilter
Yea I have to agree it would be wonderful to get some answers or closure.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
This is all I could come up with https://armstrongonewire.com/Support/Internet/Articles/PortFilter
I can't visit that link
But I get it : I visit from France, and that might be suspect. My IP was blocked.
DNS is fine, that is, a A record exists. AAAA (IPv6) : that's a not go. -
@Gertjan said in pfsense openvpn won't connect from certain cable providers ?:
can't visit that link
It says, "...blocks certain ports. Ports 25, 67, 135-142, 161-162, 445, and 520 are blocked. Blocking these ports reduces network congestion and protects customers .... Email hosting is limited to commercial customers subscribing to Zoom Professional or above upon request."
FWIW we have seen Comcast's built-in but hidden router security do weird things like block specific inbound ports from specific IPs (fixed by restarting, and once powering off the Comcast router).
