pfsense openvpn won't connect from certain cable providers ?
-
@pfchangs77 well the important thing is you got it sorted.
So amstrong is blocking 1194 udp? That is pretty shitty isp.. I could see blocking smb and or say smtp.. These are not things any home user should be using to connect to.. But in this day an age lots of users use vpn.. I would think they would have users leaving or complaining quite a bit..
-
@johnpoz said in pfsense openvpn won't connect from certain cable providers ?:
So amstrong is blocking 1194 udp
I might guess some ISPs see inbound VPN ports as requiring a business account. I vaguely recall hearing VPN usage from a home account being an issue around the start of COVID quarantines.
I found out AT&T Business Fiber blocks outbound port 25 unless you ask them not to.
(เฒ _เฒ )Xfinity maintains a list: https://www.xfinity.com/support/articles/list-of-blocked-ports (which generally are not a problem)
-
@SteveITS said in pfsense openvpn won't connect from certain cable providers ?:
inbound VPN ports as requiring a business account
But this isn't an inbound block - maybe they are blocking that too.. But this is an outbound block from this armstrong house to his pfsense at some other location.
At least that was my understanding.
-
would be nice to know whats really going on. They never actually said what was blocked the other day.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
They never actually said what was blocked the other day.
Check their web site support pages ?!
If they block more then the classic "TCP destination port 25" (and NetBIOS
) they will have 'exceptions' listed in the contract or commercial documentation, otherwise they would have to invest heavily in the after sales and support department. -
Correct, however we did end up trying other armstrong customers around the area which worked fine too. So it doesn't explain why some armstrong customers do and some armstrong customers don't have it blocked. Because I know at least one account was a brand new account. Maybe some old feature? Haven't gotten a straight answer from them.
-
This is all I could come up with https://armstrongonewire.com/Support/Internet/Articles/PortFilter
And I asked many times. And when I spoke to the so called supervisors they told me they blocked nothing even though when I asked them about that web page - https://armstrongonewire.com/Support/Internet/Articles/PortFilter
Yea I have to agree it would be wonderful to get some answers or closure.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
This is all I could come up with https://armstrongonewire.com/Support/Internet/Articles/PortFilter
I can't visit that link
But I get it : I visit from France, and that might be suspect. My IP was blocked.
DNS is fine, that is, a A record exists. AAAA (IPv6) : that's a not go. -
@Gertjan said in pfsense openvpn won't connect from certain cable providers ?:
can't visit that link
It says, "...blocks certain ports. Ports 25, 67, 135-142, 161-162, 445, and 520 are blocked. Blocking these ports reduces network congestion and protects customers .... Email hosting is limited to commercial customers subscribing to Zoom Professional or above upon request."
FWIW we have seen Comcast's built-in but hidden router security do weird things like block specific inbound ports from specific IPs (fixed by restarting, and once powering off the Comcast router).
-
@SteveITS yeah those seem to be pretty common sense blocks that most ISPs would do.. Since really none of those are things you should be doing to the internet anyway - especially on a residential sort of connection.
520 - why would a home user being running rip to the internet? So yeah block it.
But why they don't list 1194 udp would be the question, if they are in fact blocking it. Seems since you say blocked at one location and not another location for this isp. They might have disjointed rules setup for different netblocks or regions or specific networks of theirs. This is always going to lead to confusion.. You call and one guy says no we don't block anything, call and get another guy and he says oh yeah we block these specific, your port is not on there. Then you call and get another guy and he says - oh your on xyz IP range, or oh your in this location - then yeah web block that..
This is not unexpected - most isp especially level 1 or 2 guys there is normally a huge turnover rate. They most likely do horrible training - here just walk through this script when a user calls with a problem. Their documentation is most likely outdated or just horrible to begin with, etc. And its quite possible as an isp grows and they buy isp X to join with them - their settings and configurations are not always the same.. And they miss something when merging the networks..
This is why you need to have details... Hey here is a sniff where I put it on the wire, here is a sniff at the other end and it never got here.. And let me talk to a level 3 engineer please...
-
Keep in mind that the Arris CM3200A is a Puma 6 equipped modem. http://www.dslreports.com/hardware/ARRIS-CM3200-h4557
https://approvedmodemlist.com/intel-puma-6-modem-list-chipset-defects/
Depending on the firmware running on the modem UDP can be severely limited causing issues. Try setting your OpenVPN instances to TCP and see if it works..
First thing I would do though is replace that modem.
-
Thank you on the extra info. ha oh with armstrong I must have gotten 4-5 TOP supervisors/managers that said they don't block anything. However all of them sounded super young.
-
@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:
supervisors/managers
Yeah they not going to know squat, you need to talk to one of their upper level tech/engineers ;)
