[Solved] I think my ISP is blocking port forward?


gacpac

Recommended Posts

 

I have a double NAT situation, because my landlord shares a connection with me. I have my own router and I had this working in the past.

 

What changed,

 

-He changed his comcast router to different model(it has the same GUI as all the xfinity)

 

-this router looks like it has NAT Reflection enabled by default (before I couldn't ping my public IP from the inside)

 

 

He gave me access for me to open my ports again, but they don't seem to work. This doesn't makes sense.

 

Normally I keep a screenshot of the working settings so I don't forget. And the behavior I get after opening a port is that it works one time.

Example,

I connect to my VPN, works the first time, then next time I try to connect it times out.

Same for nextcloud, login the first time, next time it times out.

 

And an additional behavior is that I cannot access canyouseeme.org from my internal Lan. This happens behind his xfinity router and behind my pfsense router.

 

Believe me, I thought it was a setting in the Pfsense. But I have my ports open in the firewall and well I haven't touch anything since I set it up.

 

 

 

I rather create this post here than somewhere else in the forum to avoid clutter

 

Sent from my Pixel 2 XL using Tapatalk

 

 

 

Edited by gacpac
Link to comment
Can you explain your setup?
His Router (DHCP) -> His devices
-> vLan -> pfSense (your DHCP) -> switch and wireless ap -> your devices
Something like that?
It's quite simple

Basically how you described it.
This are my IPs

His router 10.0.0.0/24
Pfsense WAN 10.0.0.115
Pfsense lan dhcp 172.16.1.0/24
Unraid 172.16.1.137




Sent from my Pixel 2 XL using Tapatalk

Link to comment
1 hour ago, gacpac said:

It's quite simple

Basically how you described it.
This are my IPs

His router 10.0.0.0/24
Pfsense WAN 10.0.0.115
Pfsense lan dhcp 172.16.1.0/24
Unraid 172.16.1.137




Sent from my Pixel 2 XL using Tapatalk
 

 

Just for testing, are you allowed to set your pfsense box as the DMZ IP on your landlord's router?

 

That at least would throw everything at you, and you could go from there.

 

 

 

 

Link to comment
 
Just for testing, are you allowed to set your pfsense box as the DMZ IP on your landlord's router?
 
That at least would throw everything at you, and you could go from there.
 
 
 
 
Originally that's how I had it setup. And let me tell you that works great. This time around I decided to go port forwarding to start troubleshooting.

But man it's weird, I started to think it's maybe my pfsense. Because the fact the it works one time, and then it blocks it drives me crazy.

Sent from my Pixel 2 XL using Tapatalk

Link to comment
33 minutes ago, gacpac said:

Originally that's how I had it setup. And let me tell you that works great. This time around I decided to go port forwarding to start troubleshooting.

But man it's weird, I started to think it's maybe my pfsense. Because the fact the it works one time, and then it blocks it drives me crazy.

Sent from my Pixel 2 XL using Tapatalk
 

 

I think it's just your double NAT getting the final target port all out of wack, and would just stick with DMZ and block all inbound, and open ports as needed in pfSense.

 

The double NAT already complicates things, I wouldn't add an additional complication if not needed.

Link to comment
 
I think it's just your double NAT getting the final target port all out of wack, and would just stick with DMZ and block all inbound, and open ports as needed in pfSense.
 
The double NAT already complicates things, I wouldn't add an additional complication if not needed.
I can try that again, but if it doesn't work I'll backup and start with a fresh configuration. Don't know what else to do.

Sent from my Pixel 2 XL using Tapatalk

Link to comment

I think is my pfsense.

Because I have disabled the entire firewall for the Comcast router and everything behaves the same way. I also turned off my PF sense and some websites started working again I guess.

Something has to be getting messed up in the port forwarding. But I don't what to check for cause nothing has been changed, maybe the firewall is detecting an attack (false positive)

Sent from my Pixel 2 XL using Tapatalk

Link to comment
2 hours ago, gacpac said:

I think is my pfsense.

Because I have disabled the entire firewall for the Comcast router and everything behaves the same way. I also turned off my PF sense and some websites started working again I guess.

Something has to be getting messed up in the port forwarding. But I don't what to check for cause nothing has been changed, maybe the firewall is detecting an attack (false positive)

Sent from my Pixel 2 XL using Tapatalk
 

 

Can you upload a picture of your firewall rules?  Because you shouldn't be port forwarding in pfSense, but allowing through on the firewall tab.

 

So my rules are like:

 

Allow IPv4 UDP 1194 WAN

Block IPv4+6 WAN

Allow IPv4+6 LAN

 

So I block all incoming to WAN, except OpenVPN, and that rule needs to be above my block incoming.  And then I allow everything from LAN out.

 

That's a basic configuration. 

 

Can you also look at your routes:  Should be System->Routing.  Your new router could be sending IPv6 downstream, and you aren't picking it up or including it in your firewall rules.

 

Edited by fl0at
Link to comment

It seems like you've got pretty open control on landlord's router, so why not disable pfsense's DHCP, and get IPs from the landlord's router?

 

Static your IPs, and create your rules in pfsense using LAN as source and destination.

 

You'll remove your double NAT, and still get your protection.

Link to comment
It seems like you've got pretty open control on landlord's router, so why not disable pfsense's DHCP, and get IPs from the landlord's router?
 
Static your IPs, and create your rules in pfsense using LAN as source and destination.
 
You'll remove your double NAT, and still get your protection.
Lol. Yeah at the beginning I was just using his. But it's messy, like. He has a chromecast, I have one. He plays stuff in my TV by mistake all the time. So I thought of setting my own network to keep my privacy.

Today I've been thinking of creating a subnet within the 10.0.0.0 and go from there, or maybe a VLAN? So devices keep separated.

I don't wanna make it complicated honestly

Sent from my Pixel 2 XL using Tapatalk

Link to comment
11 minutes ago, gacpac said:

Lol. Yeah at the beginning I was just using his. But it's messy, like. He has a chromecast, I have one. He plays stuff in my TV by mistake all the time. So I thought of setting my own network to keep my privacy.

Today I've been thinking of creating a subnet within the 10.0.0.0 and go from there, or maybe a VLAN? So devices keep separated.

I don't wanna make it complicated honestly

Sent from my Pixel 2 XL using Tapatalk
 

 

If you set your rules in pfSense to block inbound LAN except on the ports you want open, you'll block his inbound (like Chromecast) even if on the same network.

 

 

Link to comment
On 7/19/2019 at 9:53 AM, fl0at said:

 

Can you upload a picture of your firewall rules?  Because you shouldn't be port forwarding in pfSense, but allowing through on the firewall tab.

 

So my rules are like:

 

Allow IPv4 UDP 1194 WAN

Block IPv4+6 WAN

Allow IPv4+6 LAN

 

So I block all incoming to WAN, except OpenVPN, and that rule needs to be above my block incoming.  And then I allow everything from LAN out.

 

That's a basic configuration. 

 

Can you also look at your routes:  Should be System->Routing.  Your new router could be sending IPv6 downstream, and you aren't picking it up or including it in your firewall rules.

 

 

PfSense has an option to port forward and it's basically a rule that creates automatically. Look this is all I have

 

image.thumb.png.0b29509cac3cfeb37b0e17167753b562.png

 

image.thumb.png.4047b32ee4f1565df913e4ff502311bf.png

 

image.thumb.png.f14c35ee93c85bcfd272e636433e6745.png

 

I also have traffic shapper enabled, but I don't think that will give me issues

Link to comment

And I don't get this. 

 

The ports get open and work. But after you try, they get blocked. If I were to trace connections in PFsense. Where can I go?

 

If I check in yougetsignal.com I can see the port is open, but after I try to connect it gets rejected. Traffic Shaping will be part of the problem ?

Edited by gacpac
Link to comment

I finished troubleshooting and yes I think Comcast is blocking the ports T.T

 

To confirm this I did the following. Disconnected my pfsense and connected directly to the core router (Comcast) 

I downloaded a free ftp application to my phone using port 16446 and forwarded the port. 

 

image.png

 

You see the port open and everything. And I'm bypassing pfsense. I'm connected directly to main router coming from the ISP. Now If I try to connect, it works for a second and then they block.

 

image.png.a37a96d947bf2332a97cead91a2aac5d.png

Edited by gacpac
Link to comment
27 minutes ago, gacpac said:

I finished troubleshooting and yes I think Comcast is blocking the ports T.T

 

To confirm this I did the following. Disconnected my pfsense and connected directly to the core router (Comcast) 

I downloaded a free ftp application to my phone using port 16446 and forwarded the port. 

 

 

image.png

 

If it is a Comcast thing you should still be able to do that same port scan behind pfSense, using the same methodology as the other ports.

 

If not, it's a configuration issue.

Link to comment
1 minute ago, fl0at said:

 

If it is a Comcast thing you should still be able to do that same port scan behind pfSense, using the same methodology as the other ports.

 

If not, it's a configuration issue.

Yes. I'm able to do it from behind my pfsense. 

But I turned it off just to take everything out of the way. This really sucks, because it was working and things don't stop working out of the blue. It's even closing the builtin ports for GUI remote management. 

Now I know it's something with the router maybe but I don't own the router so. I gotta deal with it like that

Link to comment
11 hours ago, gacpac said:

Yes. I'm able to do it from behind my pfsense. 

But I turned it off just to take everything out of the way. This really sucks, because it was working and things don't stop working out of the blue. It's even closing the builtin ports for GUI remote management. 

Now I know it's something with the router maybe but I don't own the router so. I gotta deal with it like that

 

I haven't ever seen port blocking from within a router as a practice.  Because to defeat the block, you'd just change routers.

 

Comcast on non-business blocks 80 at a level before the connection to the home. I would assume they would continue that practice for other ports they want blocked.

 

Connecting once and then not again sounds like a configuration issue, not an adaptive and learning process within the router (which is what it would have to be to allow once, and then decide to block.)

 

 

 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.