TiVo Says Port 8080 Closed. Tools to Check?
For the last couple of months, I've been running my TiVo without problem through AirVPN on my SG-4860. Yesterday, the TiVo started complaining it was running out of Guide data. When I checked, it hadn't been able to connect successfully for a while. It now thinks port 8080 is being blocked. I pulled the TiVo out from using the VPN and it has no problem. Putting it back through the VPN causes it to again complain about port 8080 is being blocked and it won't connect. My pfSense box is set to not block any outgoing stuff. Ditto for traffic on the local network. According to:
Cox (my ISP) doesn't block port 8080. And, according to:
the TiVo needs no open incoming ports. Also, it doesn't complain about any of the other ports that need to be open for outgoing traffic (or within the local network) as being closed.
Are there any tools (hopefully, those a newb can use) I can use to try to see if something is blocking port 8080 on my network? I've attached a screenshot of my firewall rules for the interface the TiVo (and, basically, everything else) is on.
![20170621 -- pfSense Firewall Rules VPN_LAN.PNG](/public/imported_attachments/1/20170621 – pfSense Firewall Rules VPN_LAN.PNG)
![20170621 -- pfSense Firewall Rules VPN_LAN.PNG_thumb](/public/imported_attachments/1/20170621 -- pfSense Firewall Rules VPN_LAN.PNG_thumb)
If it is being routed out the VPN, Cox has nothing to do with it.
Look at states on 8080 while you try to connect.
Maybe packet capture on OpenVPN on port 8080 while you try to connect and see what is there.
Maybe set something up on the outside to listen on 8080 and try to connect to it.
Good idea to check the state table. I'd checked the logs, but there's nothing. Here's what shows up in the state table during a connection attempt:
States Interface Protocol Source (Original Source) -> Destination (Original Destination) State Packets Bytes VPN_LAN tcp 192.168.20.6:60422 -> 18.104.22.168:8080 TIME_WAIT:TIME_WAIT 1 / 1 60 B / 40 B VPN2_WAN tcp 10.8.0.214:55750 (192.168.20.6:60422) -> 22.214.171.124:8080 TIME_WAIT:TIME_WAIT 1 / 1 60 B / 40 B
192.168.20.6 is my TiVo
126.96.36.199 is on the list of TiVo's servers
10.8.0.214 is that VPN WAN interface's address
So, it looks like the traffic is at least leaving my system. I'll try to figure out something with a packet capture.
Here's a packet capture for port 8080 on that OpenVPN client:
17:35:15.115962 IP 10.8.0.214.30048 > 188.8.131.52.8080: tcp 0 17:35:15.129437 IP 184.108.40.206.8080 > 10.8.0.214.30048: tcp 0
And, here's one for the TiVo's IP address and port 8080 on the local VPN interface:
17:40:51.048594 IP 192.168.20.6.60503 > 220.127.116.11.8080: tcp 0 17:40:51.063299 IP 18.104.22.168.8080 > 192.168.20.6.60503: tcp 0
And, just for grins, here's one for the TiVo's IP address and port 8080 on the local VPN interface while the TiVo's doing its port diagnostics and saying port 8080 is closed:
18:06:24.626166 IP 192.168.20.6.60600 > 22.214.171.124.8080: tcp 0 18:06:24.642865 IP 126.96.36.199.8080 > 192.168.20.6.60600: tcp 0
I'm 99.99% clueless, but to me, that looks like during the diagnostics, port 8080 is working fine and during a download something went there and back again involving port 8080. I guess that means this isn't related to pfSense at all. Heck, it doesn't even look like it's related to the VPN.
That looks like good two-way traffic - at least from something.
Anyone know what the time codes in those packet captures mean? The first three parts are obviously hours, minutes, and seconds. But, is the last part millionths of a second?
Yeah, 6 decimal places is milliseconds.
Thanks. I couldn't find anything saying that that final clump of numbers was some kind of fractional second or something else entirely.
BTW: 10^(-6) seconds is actually microseconds:
A millisecond is a thousandth of a second.
If I had to guess, I'd say TiVo is blocking access from the VPN provider.
Especially if it works fine from your regular network.
Mine don't seem to do anything fancy with the traffic that leaves my network, nothing I'd expect to break that way at least. But they are a bit strict with region stuff so it would not surprise me to hear they block known VPN/Proxy providers.
I, too, am guessing TiVo has somehow started blocking access via VPN. I've reported this on the TiVoCommunity forum:
and to TiVo (corporation), itself. But, so far, nothing. It's just odd that the sole check that's (supposedly) failing is the one for port 8080 instead of something more general.
I've worked around it by simply adding a firewall rule to have all traffic coming from my TiVo go through the WAN instead of the VPN interface. That's not really what I want to do, but it works.
I was forcing a tivo through an OpenVPN that egresses from AWS Oregon until about a week ago and it worked fine for geo-shifting MLB.Tv. Probably just a matter of time. (Don't have the tivo any more.)
Didn't try any other streaming services and tivo updates seemed to be fine.
Hard for me to fathom why tivo would care where you get updates from. The streaming apps all have their own enforcement methods I would think.
You could tailor the rule to only put traffic sourced from the tivo and destined for port 8080 out WAN.