dynamic IP blocked

Started by bienios, January 08, 2020, 07:17:28 PM

Previous topic - Next topic

bienios

Hi Guys.
Is It possible and it's looks like my  ISP provider- xfinity blocked my address. I can't ping from outside only from inside my public address as comcast gateway and all ports are blocked. I know that from https://www.canyouseeme.org/ what shows "I could not see your service. All connection timeout" Around a year ago I did not have that problem.  I realized that when I could not establish VPN connection with my home router.

Dieselboy

Hi,

Could you explain some more? Blocked your address to what?

Some ISPs block traffic from the internet to your IP. For example, your ISP might prevent you from hosting a website or mail server from your IP address (ie at your home). My ISP at my home does this, and blocks a number of other ports (like 445). But I have turned this off in the ISP control panel for my account. Actually, I turned it off a few times now but it seems to come back on.

For ICMP - it's not really a security risk to allow icmp ping request, so could it be that the router is not configured to reply to icmp?

bienios

#2
I meant blocked all ports. I had never problem to login to my router from public before. I checked firewall and no icmp blocked. Looks like my gateway is 73.134.200.1 but I also cant ping that address from outside but I can ping from inside.

Traceroute from outside to my public address actually looks good.

1     5 ms     4 ms     3 ms  192.168.43.1
  2    54 ms   122 ms    34 ms  172.26.96.161
  3    43 ms    36 ms    38 ms  107.72.137.124
  4   169 ms   168 ms    64 ms  12.249.2.57
  5    74 ms    42 ms    41 ms  12.83.178.17
  6    54 ms    57 ms    80 ms  12.122.113.41
  7   212 ms   165 ms   162 ms  192.205.37.42
  8    77 ms    78 ms    78 ms  be-2107-cs01.ashburn.va.ibone.comcast.net [96.110.32.185]
  9   242 ms   160 ms    43 ms  be-1102-cr02.ashburn.va.ibone.comcast.net [96.110.32.170]
10    93 ms    40 ms    39 ms  ae-4-ar01.capitolhghts.md.bad.comcast.net [68.86.90.58]
11    44 ms    60 ms    51 ms  te-9-1-sr01.cambridge.md.bad.comcast.net [68.87.168.54]
12    73 ms    72 ms    39 ms  96.110.92.6
13    44 ms    42 ms    35 ms  lag2-acr04.kirkave.md.bad.comcast.net [68.85.113.190]
14   166 ms   159 ms   162 ms  c-73-134-201-2*.hsd1.md.comcast.net [73.134.201.2*]

Dieselboy

I can ping and trace to 73.134.200.1 - could the issue be at your outside source rather than your internet connection/firewall at home?

deanwebb

I can ping your home IP (full address is visible to admins/mods), but when I did an NMAP quick scan, it said all 100 ports were filtered.

So I have to ask if this inability to open a VPN is in one location or many? There is a chance that where you are may now be filtering to block outbound VPNs, so the issue would be on that side and not your ISP's side.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

bienios

#5
OK thanks. Yes looks like my firewall does not working properly. I tried turn off all rules and I could login to my router from outside but that's it. I switched ON rule one after another and was trying login again since I turn on one I was logout and right now I can't login again.. I will update if so. Thank you for help.

deanwebb

Cool. If you look at the rules, each one likely deals with a port, or way of connecting one PC to another. If you know the port your VPN connection uses, you can focus on that rule.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

bienios

#7
I just checked all ports on my IP and port 1723 pptp is open but for GRE tunnel 47 is closed. Is that mean ISP closed it?

Dieselboy

#8
Hi,

We are suggesting that the issue looks to be the source, not your destination.

Source = where you are testing from
Destination = your home internet connection

Your home firewall is not blocking any PPTP requests. I can create a TCP connection to your home PPTP connection. So your firewall is allowing unknown internet source (which is my home) to connect to your home. See the attached wireshark screenshot. I have covered up your IP address because this is a public forum.

You can see in the capture trace that your device is responding to my TCP SYN.

"GRE" is not a port, it's a protocol. GRE is actually protocol number 47. You wont be able to "open" this on your firewall. Rather, your firewall needs to understand PPTP and allow the traffic based on the tcp/1723.

You can see a list of protocol numbers here. you will need to scroll down to 47: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

deanwebb

Dieselboy points up an important note: you need to put a firewall or some other filter on your Internet connection at home. The whole world can walk right up and say hello, or something much ruder than that. Yes, it would mean not being able to VPN in from everywhere unless you had a VPN solution on the firewall, but that's for your safety. It's always not a problem until the Belarus botnet takes over your system, then you'll be wishing you could go back in time and close that hole.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.