SOLVED: Can't Enable HTTPS on WAN on Comcast Business Network

focalguy · Nov 23, 2009, 8:10 PM

I may be wrong but the common thread seems to be that all the locations that I fail to do this on are using Comcast Business as their ISP. We have a static IP and VPN tunnel to these locations but I would like another way to connect to the router when the VPN does not come up.

The problem is that I create the rule:

TCP  	 *  	 *  	 WAN address  	 443 (HTTPS)  	 *  	    	 Pass HTTPS to WAN

on several routers that are on Comcast and the router does not show the packets being blocked or allowed. I have logging of default rules turned on.

I set this same rule on a router with Qwest as the ISP an I get right into the router from the WAN interface.

I tried changing the port of the firewall to 8443 and then adjusting the firewall rule accordingly and I still get the same result on the Comcast router. I haven't tried that on the Qwest router with an alternate port.

Is Comcast blocking those incoming ports? How can I test if they are or not?

Also, I know this isn't the most secure method of access by having a port left open so I am open to other suggestions for managing the firewall when the VPN tunnel goes down and doesn't come back up. I need some way of manually connecting to the router if just to reboot it.

focalguy · Oct 30, 2009, 5:42 PM

Just confirmed this morning that I can also set this up successfully on a pfSense box running on a Verizon ISP. I think it is definitely something with Comcast.

Any way to get around this?

danswartz · Oct 31, 2009, 7:16 PM

8443 may be a widely used alternative to 443, so maybe they block that too. try some random port number?

focalguy · Nov 5, 2009, 1:04 AM

That's a good idea. I think I tried it already but I'll make sure and try it again and then report the results.

johnvm · Nov 10, 2009, 2:24 AM

on comcast here and have no problems with 443. noteworthy: i'm on a comcast biz package, dunno if that makes any difference.

focalguy · Nov 10, 2009, 3:27 AM

Thanks for the comment johnvm. That is interesting because all of my locations are Comcast business as well. I still haven't tried setting the box on a random port as I think I tried before but I will try to do that tomorrow.

Is there any way to check where traffic is being stopped? Kind of like a traceroute for a specific port?

danswartz · Nov 10, 2009, 3:32 AM

not really (or easily at least.)

dotdash · Nov 10, 2009, 3:51 AM

I remember having to check some box to bypass the firewall for the true statics. This was on the Comcast modem. I forget the exact details.

johnvm · Nov 10, 2009, 3:39 PM

do your other ports work? the way i have things setup is i have my pfsense router set as the DMZ on my comcast biz cable modem (login to the modem at http://192.168.100.1 un: cusadmin pw: highspeed).

if you dont forward along the ports from the modem to the router no NAT will work.

focalguy · Nov 10, 2009, 7:55 PM

I think it may be a setting on the modem now. Thanks for the tip dotdash. We just replaced a linksys with a pfSense box this morning and it is on Comcast and I set up the rule and it worked on port 443! I tried again on another pfSense box at another location and still get the no connection and no logging of any kind. I also saw that I had a disabled rule of "Allow All to WAN" which I tried out of desperation for a minute just to see if it would get through and I remember I didn't have any luck with that. Now that it is working on a Comcast location I think I need to compare that modem's settings with the other locations and see what is different.

johnvm, these locations do not have any other incoming ports open. They are just satellite offices so they are all just connecting to us at the central office. We do, however have Comcast recently at the central office but have not moved any services over from our current ISP. I will make sure to check the Comcast modem here before doing that.

jimp · Nov 10, 2009, 8:01 PM

It's probably best to standardize on an unusual alternative port anyhow, such as 4443, 4433, 8443, 10443, etc. There's no telling what kind of inbound blocking an ISP might do, or what policies they may have.

I believe one of the pfSense developers had their service temporarily disconnected by a cable company until they moved all their listening services to ports > 10000. The cable company's reasoning behind this made almost no sense from an actual network security standpoint, but it was their policy nonetheless and had to be followed to keep the service active.

focalguy · Nov 12, 2009, 7:56 PM

Thanks Jim,

I'll keep that in mind but for now I'm not sure if I could convince my boss to want to type the extra port numbers at the end of each address. haha. Having an alternative port number might also add a little security-through-obscurity for whatever that's worth as well.

Next Monday when I will be at one of these locations and have access to the Comcast modem, I plan to check the settings and see if I can get it configured properly.

focalguy · Nov 23, 2009, 8:10 PM

@dotdash:

I remember having to check some box to bypass the firewall for the true statics. This was on the Comcast modem. I forget the exact details.

This was it. There is a box that says something like "Disable NAT for True Static IPs". Once that was checked, the rules took effect as required.

As Jim mentioned, it is probably a good idea to have an alternate port used and maybe we will standardize on one later but either way this option needs to be enabled on the Comcast modem for this to work.

Thanks everyone!