Comcast Business maintenace, now OpenVPN not working
-
2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLEComcast Business with static IP. Received a message that they were doing maintenance Friday morning midnight till 6am. They forgot to put our comcast modem back to passthrough. They fixed that. Today, cannot connect OpenVPN into the router. The IPSEc tunnels to other site is working, but the OpenVPN Connect client now timeouts. Looking in the firewall, no blocking of my public WAN and nothing in the logs. Called Comcast multiple times, they removed the firewall and the security edge. I have had modem rebooted and our router several times. We have not made any changes on our network at all.
Any ideas would be greatly appreciated... Strange no issue for years, until they did their maintenance...
Thanks,
Brian -
@brianjmc1 it’s probably not in passthrough.
If you allow ICMP on WAN can you ping from outside? If you disable that rule does it still answer (meaning, it’s not pfSense answering)?
Is your WAN IP a CGNAT IP?
-
@SteveITS said in Comcast Business maintenace, now OpenVPN not working:
CGNAT IP
So I added a rule to allow ICMP on WAN - then pinged it - all good receiveing response. Removed rule and ping WAN IP again and no response.
No this is not a CGNAT IP, we have a static IP from Comcast.Thanks for taking the time to answer!
Brian -
@brianjmc1 Is the OpenVPN connection inbound or outbound?
What model cable modem did they stick you with? Puma chipset equipped modems can be trouble with UDP connections.. makes me wonder if they did a firmware update on your modem during the "maintenance" that mucked things up.
-
@brianjmc1 said in Comcast Business maintenace, now OpenVPN not working:
we have a static IP from Comcast
Do you the what port the OpenVPN client is using ? Like 1194 ?
You know the protocol, Like UDP ?
That's all you need "to check things on your side".Go here :
and select the WAN interface, UDP as the protocol and 1194 as the port, and hit Start.
.... and nothing shows up here :
Now, get your OpenVPN client device - do not use the wifi, use the phone ISP data connection !! and lauch the OpenVPN client.
The IP's using is your static IP ?
You should see the packet capturing now logging the OpenVPN traffic bewteen the client deice and the pfSense OpenVPN server.
Like this :If not, then you have solid proof the traffic never reaches the WAN interface of pfSense.
Btw : I don't know who Comcast is, I'm from France (that's Europe ^^) but still : an ISP that can change their device's firewall rules or operating mode ? Are you sure ?
My ISP box is there for me to admin, not me (for me Orange, France).
Typically, the ISP and ISP box is there to create the connection, and that's it. If they (the ISP) can also change things whenever they want, you have to check your ISP box settings all the time.
I place a "UDP port 1194 to the WAN IP of pfSense WAN IP" == NAT rule in my ISP's box, and that it. -
@chpalmer - no traffic in the packet capture from outside OpenVPN client trying to remote in. I have a openVPN on a PC on the LAN side - just for test purposes - never understoof why PFsense let that connect. Anyway, ran packet capture for that and see traffic, also it connects successfully.
again, we made no changes, just the ISP.
Thanks,
Brian -
@brianjmc1 said in Comcast Business maintenace, now OpenVPN not working:
again, we made no changes, just the ISP.
Which means that the traffic arrives at your WAN IP, but the ISP device doesn't send it trough to the port where pfSense is connected.
Could be a firewall rule or permission to be set on that device ... (probably not NAT because I guess your ISP device isn't a "router") -
@Gertjan So i forgot that we had a 2nd "old" router on a 2nd static IP(we have 5 static ip block). just in case something ever happened with the main router. I tried it and the keys were expired, ?I renewed the keys tried again, and it timed out. This is a non PFsense router, its actually an IPfire.
Both routers, same results, with nothing changed on either.
Between that and the packet capture -this proves that its the ISP(Comcast). Hopefully I can get to some type of second level support.Thanks,
Brian -
OK, finally solved. Comcast(ISP) has on its side, a firewall, and a thing called "security edge". Calling them for the 12th time, I demanded to get in touch with level2 support. They agreed, but said they need to send a tech to swap out our current modem, before they would put a ticket in with level 2 support.
Tech came and swapped out the modem, then he saw that Security Edge was off, turned it on and boom, clients can connect to main router and backup router. Level1 support had no idea.Hope this helps someone in the same condition with Comcast some day?
Thanks to users that took the time to answer and help - very appreciated!
Brian
-
@brianjmc1 huh, usually that’s in the way and turning it off fixes stuff.
-
@SteveITS I agree 100%, I'm not complaining its working again and I have notes on it, when they do "maintenance" in the area again...
Glad the onsite tech new something more than the support back at ISP office...
Brian