OpenVPN TLS hand-off issue behind bridged comcast gateway


  • Hi all,

    I have a SG-5100 behind a Comcast business gateway in bridged mode and i'm having issues connecting to port forwarded devices as well as OpenVPN (in TCP and UDP settings)

    I see that i have a TLS handshake issue on my UDP sessions and an "Unknown Error" on my TCP connections.

    Furthermore, i am hosting a server port-forwarded to the public IP and i cannot establish a connection.

    When I try and make the connection to OpenVPN i get a user called "UNDEF" and a strange IP address that i have tracked down belonging to the Comcast Gateway under its "about" section.

    I have reset the WAN address and made it static, i have internet connection but these services are still unavailable.

    Is there any reason that the Comcast Gateway could still be blocking ports or causing issues with NAT? I can imagine a bridged mode gateway doing anything but passing on the public IP address. Is there any additional troubleshooting steps i should take? Any kind of flush commands i could do?

    Thanks for the help.

  • LAYER 8 Rebel Alliance

    Run a packet capture at your pfSense WAN to check traffic really hits pfSense and is not blocked upstream.

    -Rico


  • So i preformed a packet capture and it does appear that there are packets going to the firewall on port 1194.

    They are not coming from my IP though, they are coming from the IP address from the "bridge gateway" and TLS handshake is still not establishing.

  • LAYER 8 Rebel Alliance

    Status > Interfaces > WAN Interface is showing a pubic IP ?
    You are really testing from the Internet or inside your network (pfSense LAN side)?

    -Rico


  • No i am remotely connected to the site using a desktop sharing software on the clients machine.

    I am trying to connect to it via my computer in a remote location


  • @above-below_6 We are having the exact same issue. We have pfsense box behind a Comcast router in bridge mode. VPN was working fine until yesterday... I completely rebuilt pfsense and am still having the issue. I can pfsense blocking the traffic even when my firewall rules are supposed to allow it.


  • We are reaching out Comcast, I’ll let you know what they say.


  • Hey Tyler,

    Just spent about 3 hours at the customer site troubleshooting this with Comcast, looks like Bridged mode is meant for DHCP and that they had a IP lease renewal as of a few nights ago in my area. My client was given a WAN block of a /29 network for us to use, but oh lord was it a struggle getting Comcast to admit they messed up.

    Turns out if you need static with Comcast you need to physically set it on the WAN interface and leave there modem in standard mode.

    Once you have the correct static IP address range that Comcast provides, it "bypasses" the provided gateway and ignores all firewall rules on it.

    Hope this helps, please reach out if you have any other issues!


  • @above-below_6 We use DHCP... Can’t get through to Comcast... we are trying other things at this point .. Thank you very much for replying, glad you got it figured out... it’s beyond frustrating... I’ll post once we have a solution