pfsense openvpn won't connect from certain cable providers ?

pfchangs77

would be nice to know whats really going on. They never actually said what was blocked the other day.

Gertjan

@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:

They never actually said what was blocked the other day.

Check their web site support pages ?!
If they block more then the classic "TCP destination port 25" (and NetBIOS ) they will have 'exceptions' listed in the contract or commercial documentation, otherwise they would have to invest heavily in the after sales and support department.

pfchangs77

@johnpoz

Correct, however we did end up trying other armstrong customers around the area which worked fine too. So it doesn't explain why some armstrong customers do and some armstrong customers don't have it blocked. Because I know at least one account was a brand new account. Maybe some old feature? Haven't gotten a straight answer from them.

pfchangs77

@Gertjan

This is all I could come up with https://armstrongonewire.com/Support/Internet/Articles/PortFilter

And I asked many times. And when I spoke to the so called supervisors they told me they blocked nothing even though when I asked them about that web page - https://armstrongonewire.com/Support/Internet/Articles/PortFilter

Yea I have to agree it would be wonderful to get some answers or closure.

Gertjan

@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:

This is all I could come up with https://armstrongonewire.com/Support/Internet/Articles/PortFilter

I can't visit that link
But I get it : I visit from France, and that might be suspect. My IP was blocked.
DNS is fine, that is, a A record exists. AAAA (IPv6) : that's a not go.

SteveITS

@Gertjan said in pfsense openvpn won't connect from certain cable providers ?:

can't visit that link

It says, "...blocks certain ports. Ports 25, 67, 135-142, 161-162, 445, and 520 are blocked. Blocking these ports reduces network congestion and protects customers .... Email hosting is limited to commercial customers subscribing to Zoom Professional or above upon request."

FWIW we have seen Comcast's built-in but hidden router security do weird things like block specific inbound ports from specific IPs (fixed by restarting, and once powering off the Comcast router).

johnpoz

@SteveITS yeah those seem to be pretty common sense blocks that most ISPs would do.. Since really none of those are things you should be doing to the internet anyway - especially on a residential sort of connection.

520 - why would a home user being running rip to the internet? So yeah block it.

But why they don't list 1194 udp would be the question, if they are in fact blocking it. Seems since you say blocked at one location and not another location for this isp. They might have disjointed rules setup for different netblocks or regions or specific networks of theirs. This is always going to lead to confusion.. You call and one guy says no we don't block anything, call and get another guy and he says oh yeah we block these specific, your port is not on there. Then you call and get another guy and he says - oh your on xyz IP range, or oh your in this location - then yeah web block that..

This is not unexpected - most isp especially level 1 or 2 guys there is normally a huge turnover rate. They most likely do horrible training - here just walk through this script when a user calls with a problem. Their documentation is most likely outdated or just horrible to begin with, etc. And its quite possible as an isp grows and they buy isp X to join with them - their settings and configurations are not always the same.. And they miss something when merging the networks..

This is why you need to have details... Hey here is a sniff where I put it on the wire, here is a sniff at the other end and it never got here.. And let me talk to a level 3 engineer please...

chpalmer

Keep in mind that the Arris CM3200A is a Puma 6 equipped modem. http://www.dslreports.com/hardware/ARRIS-CM3200-h4557

https://approvedmodemlist.com/intel-puma-6-modem-list-chipset-defects/

Depending on the firmware running on the modem UDP can be severely limited causing issues. Try setting your OpenVPN instances to TCP and see if it works..

First thing I would do though is replace that modem.

pfchangs77

Thank you on the extra info. ha oh with armstrong I must have gotten 4-5 TOP supervisors/managers that said they don't block anything. However all of them sounded super young.

johnpoz

@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:

supervisors/managers

Yeah they not going to know squat, you need to talk to one of their upper level tech/engineers ;)