Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Comcast Business maintenace, now OpenVPN not working

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 4 Posters 150 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      brianjmc1
      last edited by brianjmc1

      2.6.0-RELEASE (amd64)
      built on Mon Jan 31 19:57:53 UTC 2022
      FreeBSD 12.3-STABLE

      Comcast Business with static IP. Received a message that they were doing maintenance Friday morning midnight till 6am. They forgot to put our comcast modem back to passthrough. They fixed that. Today, cannot connect OpenVPN into the router. The IPSEc tunnels to other site is working, but the OpenVPN Connect client now timeouts. Looking in the firewall, no blocking of my public WAN and nothing in the logs. Called Comcast multiple times, they removed the firewall and the security edge. I have had modem rebooted and our router several times. We have not made any changes on our network at all.
      Any ideas would be greatly appreciated... Strange no issue for years, until they did their maintenance...
      Thanks,
      Brian

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        SteveITS Galactic Empire @brianjmc1
        last edited by

        @brianjmc1 it’s probably not in passthrough.

        If you allow ICMP on WAN can you ping from outside? If you disable that rule does it still answer (meaning, it’s not pfSense answering)?

        Is your WAN IP a CGNAT IP?

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
        Upvote 👍 helpful posts!

        B 1 Reply Last reply Reply Quote 0
        • B Offline
          brianjmc1 @SteveITS
          last edited by

          @SteveITS said in Comcast Business maintenace, now OpenVPN not working:

          CGNAT IP

          So I added a rule to allow ICMP on WAN - then pinged it - all good receiveing response. Removed rule and ping WAN IP again and no response.
          No this is not a CGNAT IP, we have a static IP from Comcast.

          Thanks for taking the time to answer!
          Brian

          chpalmerC GertjanG 2 Replies Last reply Reply Quote 0
          • chpalmerC Offline
            chpalmer @brianjmc1
            last edited by

            @brianjmc1 Is the OpenVPN connection inbound or outbound?

            What model cable modem did they stick you with? Puma chipset equipped modems can be trouble with UDP connections.. makes me wonder if they did a firmware update on your modem during the "maintenance" that mucked things up.

            Triggering snowflakes one by one..
            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

            B 1 Reply Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan @brianjmc1
              last edited by

              @brianjmc1 said in Comcast Business maintenace, now OpenVPN not working:

              we have a static IP from Comcast

              Do you the what port the OpenVPN client is using ? Like 1194 ?
              You know the protocol, Like UDP ?
              That's all you need "to check things on your side".

              Go here :

              6f347b88-be10-412a-95eb-f98070dd3d18-image.png

              and select the WAN interface, UDP as the protocol and 1194 as the port, and hit Start.

              .... and nothing shows up here :

              7689d746-442c-4418-8676-1e8ac452291c-image.png

              Now, get your OpenVPN client device - do not use the wifi, use the phone ISP data connection !! and lauch the OpenVPN client.
              The IP's using is your static IP ?
              You should see the packet capturing now logging the OpenVPN traffic bewteen the client deice and the pfSense OpenVPN server.
              Like this :

              2690affc-00f6-44da-926e-78fdd9f48976-image.png

              If not, then you have solid proof the traffic never reaches the WAN interface of pfSense.

              Btw : I don't know who Comcast is, I'm from France (that's Europe ^^) but still : an ISP that can change their device's firewall rules or operating mode ? Are you sure ?
              My ISP box is there for me to admin, not me (for me Orange, France).
              Typically, the ISP and ISP box is there to create the connection, and that's it. If they (the ISP) can also change things whenever they want, you have to check your ISP box settings all the time.
              I place a "UDP port 1194 to the WAN IP of pfSense WAN IP" == NAT rule in my ISP's box, and that it.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • B Offline
                brianjmc1 @chpalmer
                last edited by

                @chpalmer - no traffic in the packet capture from outside OpenVPN client trying to remote in. I have a openVPN on a PC on the LAN side - just for test purposes - never understoof why PFsense let that connect. Anyway, ran packet capture for that and see traffic, also it connects successfully.

                again, we made no changes, just the ISP.

                Thanks,
                Brian

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG Offline
                  Gertjan @brianjmc1
                  last edited by

                  @brianjmc1 said in Comcast Business maintenace, now OpenVPN not working:

                  again, we made no changes, just the ISP.

                  Which means that the traffic arrives at your WAN IP, but the ISP device doesn't send it trough to the port where pfSense is connected.
                  Could be a firewall rule or permission to be set on that device ... (probably not NAT because I guess your ISP device isn't a "router")

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  B 1 Reply Last reply Reply Quote 0
                  • B Offline
                    brianjmc1 @Gertjan
                    last edited by

                    @Gertjan So i forgot that we had a 2nd "old" router on a 2nd static IP(we have 5 static ip block). just in case something ever happened with the main router. I tried it and the keys were expired, ?I renewed the keys tried again, and it timed out. This is a non PFsense router, its actually an IPfire.
                    Both routers, same results, with nothing changed on either.
                    Between that and the packet capture -this proves that its the ISP(Comcast). Hopefully I can get to some type of second level support.

                    Thanks,
                    Brian

                    B 1 Reply Last reply Reply Quote 0
                    • B Offline
                      brianjmc1 @brianjmc1
                      last edited by

                      OK, finally solved. Comcast(ISP) has on its side, a firewall, and a thing called "security edge". Calling them for the 12th time, I demanded to get in touch with level2 support. They agreed, but said they need to send a tech to swap out our current modem, before they would put a ticket in with level 2 support.
                      Tech came and swapped out the modem, then he saw that Security Edge was off, turned it on and boom, clients can connect to main router and backup router. Level1 support had no idea.

                      Hope this helps someone in the same condition with Comcast some day?

                      Thanks to users that took the time to answer and help - very appreciated!

                      Brian

                      S 1 Reply Last reply Reply Quote 0
                      • S Offline
                        SteveITS Galactic Empire @brianjmc1
                        last edited by

                        @brianjmc1 huh, usually that’s in the way and turning it off fixes stuff.

                        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                        Upvote 👍 helpful posts!

                        B 1 Reply Last reply Reply Quote 0
                        • B Offline
                          brianjmc1 @SteveITS
                          last edited by

                          @SteveITS I agree 100%, I'm not complaining its working again and I have notes on it, when they do "maintenance" in the area again...
                          Glad the onsite tech new something more than the support back at ISP office...
                          Brian

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.