Has Spectrum Cable Internet started blocking inbound traffic

swb_mct

Member
THIS IS AT AN UNOCCUPIED SEASONAL HOME . . . WE ARE NOT THERE NOW
We have about 20 IP Cameras plus access to HAI OMNI2 PHONE APP app and other things that are accessed by Port Forwarding through our router. Had this arrangement for 20 years and yesterday it stopped . . . no inbound traffic gets to our cameras or other systems. Outbound internet works because our Ring cameras and Generator communicator are still working which are OUTBOUND CONNECTIONS.

THIS IS THE SETUP . . Port translation is used so only ports above tcp 45000 are facing the internet directed. Very little scanning observed in this port range. None of this stuff works now but outbound connections still work.

1734616126263.png
 
It's not possible to block "inbound traffic". They can block inbound ports but ethernet is a 2 way protocol so blocking one way would stop all traffic since the outbound would never receive a reply.
But anyway, I think the first thing to verify is that your public IP didn't change. You say you aren't there but do you have a way of verifying the IP there? Maybe Ring or the generator?
One thing I would recommend is to setup a VPN connection between houses or even just a remote access into the seasonal home at least.
I can't imagine having all those ports open when there's no need to. Most store bought routers have a built-in VPN capability so should be easy to do.
 
100% you should look into running your own VPN service. You can likely run it on your router. This way you will only have a single port open to the internet, and it will require a matching encryption file before the system will allow an outsider access to the network. Currently your entire network is only as secure as the firmware on your CCTV cameras. Which is to say it is basically an open book to anyone that actually wants to take the time to see what's on the rest of the network.
 
Here use (years now) PFSense + with VPN server running on it.

With VPN running I can see all of my devices from the WAN and alternate home with Windows, Android or iOS.
 
I would personally suggest you look at the Unifi Cloud Gateway routers. You could easily link your primary home and seasonal home networks and manage it as one - even behind a telco/cable router. I have not seen any other routers with the simplicity of VPN setup for end devices or full site to site VPN's. You would not need to open any external ports for your remote connectivity.
 
Traditional VPNs do require a port to be open. It's encrypted which is obviously infinitely more secure than an unsecure port (which is why we all suggest using a VPN in the first place). But your network still has to accept VPN communication with the outside world to work.

A quick internet search leads me to believe that the Unify Cloud VPN uses a default port of UDP 51820.
 
All Unify equipment try to make it easy for people who don't how much about networking.
It does open a port, but it does it for you so you don't know it's open.
This is why I always try to get people to move away from Unify. Learn how to network yourself instead of letting the equipment do it for you.
But I get it, some people can't learn it so Unify will always have a market place.
 
All Unify equipment try to make it easy for people who don't how much about networking.
It does open a port, but it does it for you so you don't know it's open.
This is why I always try to get people to move away from Unify. Learn how to network yourself instead of letting the equipment do it for you.
But I get it, some people can't learn it so Unify will always have a market place.

Your interpretation of Unifi is very wrong - and also insulting.

I work with enterprise class equipment all the time (Cisco, Palo Alto, etc.), so I am quite familiar with networking. Until recently, I preferred the EdgeRouter line (for home use), but the recent Unifi systems have added a lot of VPN capabilities - that 100% do not require an open port.

Think of services like TeamViewer or GoToMyPC that allow inbound connection without an open port. They do this by establishing a connection via an outside "broker". That is where the "cloud" portion of the Unifi Cloud Gateway comes in. The free Unifi cloud service brokers your connection to allow VPN access without incoming ports. I have a friend that is currently remotely configuring some equipment behind a Unifi router, sitting in my house behind a triple-NAT, with no incoming ports. Or maybe you could explain to me how it managed to magically open incoming ports on my EdgeRouter, Mikrotik and Unifi routers (triple-NAT) to establish the incoming path???
 
I can absolutely explain it to you.
Those services create an outbound connection to "their" servers. So the inbound return connections are allowed.
This means you are now relying on "their" servers to connect to your network.
If you're ok with that, then go for it!
Or, as I said, you can learn how to network properly and manage your connection yourself. It's up to you.
Like I said, there will always be people who don't know how to network, and frankly, those who don't want to know.
That's where Unify and the like will always have a user base.
Nothing insulting about it, just the way it is. Unify is well known for opening ports and assigning vlans and other "things" behind the scenes that the owner doesn't know about. And again, maybe they don't need or want to know about it.
Personally, I'd rather be in control of my stuff. Others will think differently. There's nothing 'wrong' with either.
 
Traditional VPNs do require a port to be open. It's encrypted which is obviously infinitely more secure than an unsecure port (which is why we all suggest using a VPN in the first place). But your network still has to accept VPN communication with the outside world to work.

A quick internet search leads me to believe that the Unify Cloud VPN uses a default port of UDP 51820.
Port 51820 is only needed if you use the Unifi router as a Wireguard server. The newer Unifi routers can function as a Wireguard server, Wireguard client, OpenVPN server, OpenVPN client, SDWAN endpoint or a Teleport server, or a combination of multiple VPN's.
 
Port 51820 is only needed if you use the Unifi router as a Wireguard server. The newer Unifi routers can function as a Wireguard server, Wireguard client, OpenVPN server, OpenVPN client, SDWAN endpoint or a Teleport server, or a combination of multiple VPN's.

An OpenVPN server on a Unifi router ALSO needs an open port to function correctly. The default OpenVPN server port is 1194.

A "Teleport" server is Unify's "non-configuration" VPN which is what I referred to as the "Unify Cloud VPN" (likely incorrectly, but I don't use Unify or know their "lingo") in my first post. Teleport actually uses a Wireguard VPN connection to function which is why it uses the same default port as a Wireguard VPN server would.

"Clients" obviously don't need an open port since they are "establishing" the connection with a server somewhere else. A client can't establish this connection unless it can communicate with the server however. This means a client needs access to the "internet" to make this connection, and the server has to accept unsolicited incoming data (through an open port) to work. The client doesn't need any open ports obviously because it does not need to accept unsolicited incoming data.

I normally don't call people out on this forum, but for someone that works with "enterprise class equipment all the time" and is "quite familiar with networking", you seem to be missing out on some basic knowledge of how traditional VPN services work. That's OK as none of us have knowledge on every subject, but please stop trying to "prove your point" when you don't really understand how it works yourself. You are just digging yourself into a bigger hole. I think we have more than proven that Unify gear is not some magical solution that somehow allows traditional VPN services to function without opening a port on the firewall.
 
I've not dug any hole here. I think the issue here is that you guys have not brushed up on the latest offerings from Ubiquiti and you are stuck on how "traditional" VPN's work. The Teleport VPN does use Wireguard for protocol and encryption, but it DOES NOT require any incoming port to be opened - and no, they don't open it for you. A simple google search will enlighten you. My example above is a perfect case where a friend is coming into my house behind a triple-nat with ZERO ports open for it. You can't tell me the Unifi router opens ports and creates forwards on the other two upstream routers in front of it (and those other two routers do not use UPNP).

I bought a Unifi cloud router over a year ago and opted not to use it as it did not give me enough control. In the last few months though, a friend was mentioning what he was doing with his, so I took a look at their latest version and was impressed with the upgrades. If you have not looked at the feature set in the last 6 months or so, you really can't compare this to earlier models.

And of course OpenVPN requires open ports. If you're going to roll your own with Unifi and setup an OpenVPN or Wireguard server you absolutely need ports open - those are traditional type VPN's. If you use Teleport, you do not.

Part of my suggesting the Unifi solution is due to the audience of this forum. Most folks here want to do automation, but don't necessarily have the networking skills to "roll their own" for Wireguard, OpenVPN or others. The OP was looking for a solution to Spectrum blocking his access and telling him to learn networking and roll his own VPN is not the right answer. Thus, the suggestion to look at Unifi for their zero configuration option.
 
Latest? Teleport had been in use since 2019 last I knew. Maybe even sooner.
What you aren't getting is outbound connections versus inbound.
Teleport is basically TailScale (which also uses Wireguard). So you are still establishing an outbound connection from your LAN to Ubiquiti's servers. Most people do not block outbound so this connection is allowed. Which also means the returning inbound traffic will also be allowed. When you want to connect to your LAN remotely, you first connect to Ubiquiti's servers, which will absolutely have a port open, since it's a VPN after all, then you're redirected to your destination.
Wireguard works behind NAT with no problems, but one side has to be able to receive the connection, which means it needs an open port.
This works fine. And if you're ok with it, go for it! But what happens when their servers go down and you can no longer access YOUR stuff?? Now, since you have no idea how to set it up and let them do it for you, you're SOL until they fix it. Again, you need to know that going in and most people don't, but if you do and that's acceptable to you, no problems.
I can't tell you how many people I help that sound just like you, Unify, Unify, Unify! Then they have problems and realize they can't do anything about it themselves so they dump Ubiquiti and learn.
 
Years ago used and tested stuff for Ubiquiti. It is a solid product.

These days use PFSense + (with VPN OpenVPN and Wireguard servers running) accessible via the WAN with any OS these days. I also pay for VPN via Private Internet Access. I also configured a tear drop in the Oracle cloud and OpenVPN cloud and it works but not really required here.

I have been using PFSense now for years and find it flexible and stable.

Only utilize Ruckus these days (last few years) for wireless.

I have gone to using L2/L3 managed switches and a happy camper. Really all of this stuff keeps me busy in my old age and not really necessary.

Do not need another monthly subscription fee here for any services these days.

I did try the Ring alarm and camera environment in a second home and was impressed. I also used Zoneminder and Blue Iris for CCTV. I preferred Zoneminder (free) because it ran in Linux over Blue Iris.


@swb_mct
I would recommend configuring a VPN server and using some sort of CCTV server for your cameras whatever alarm system you want to use. Personally used Home Assistant to manage the Ring ecosystem.
 
Last edited:
I have been using PFSense now for years and find it flexible and stable.
Yup, not sure if the old CocoonTech was brought over when it came back but if so, you'll find a post where I was the one who suggested pfSense to you. I used m0n0wall for years and switched to pfSense when they forked it. Haven't used another firewall since. I have tried others, but nothing comes close.
I can't tell you how many people I've suggested it to over the years and most still use it.
 
Back
Top