Any update on this?

I appear to be experiencing it too. I am trying to use an IPSEC VPN that uses UDP500 and UDP4500, but which has not worked since moving to a static IP address in December.

Is there any way to trace logs to identify if this is the PN Firewall? Or another separate issue?

If not fixed asap I will need to revert to a dynamic address - then possibly to a separate provider.

Additionally, is there a list of ports that this firewall blocks? For each settings Low / High?

Thanks for your post @keithdw

I'm really sorry to see you're having issues getting onto your VPN, because the broadband firewall's stuck in a high state.

I can try to force the firewall off, which would mean you'd have to rely on your router's and device's firewalls, because you wouldn't be able to configure the settings, due to the problem we're still working on getting to the bottom of. 

Let me know if you're happy for me to go ahead and I'll see what I can do. 

Full details of what the broadband firewall does can be found Here. In a high state, it blocks unauthorised incoming traffic, which will stop some things from working, like certain apps, VPN software or active FTP sessions. 

From 31st October 2022, I no longer have a regular presence here as I’ve moved on to a new role.

Anoush Mortazavi Plusnet

I'm happy to rely on my firewall, thank you...

is off, appropriate? or low? I don't recall what it was pre-static address, although i think it was probably off.

Thanks for getting back to me @keithdw 

What's interesting is that it appears your broadband firewall has been in a high state for a long time as far back as I can see and that's two years, because there's nothing (from what I can see) to suggest changes have been made in that time. 

This means that you'd have had a static IP previously, because when the broadband firewall is active, we automatically add a free static IP onto an account for as long as the firewall is active. This is just the way it works in our network. 

I believe the firewall should be turned off now. Could you try your VPN? 

From 31st October 2022, I no longer have a regular presence here as I’ve moved on to a new role.

Anoush Mortazavi Plusnet

Oh... i deliberately requested a Static in December because we're doing so much more work related things from home, obviously, and certain clients i need to access wanted static source addresses...

I didn't  take much notice prrior to then, though, but I did *think* I'd turned it off...

Now you say this though, I question my memory!

Going to try it now, will come back shortly.

ta!

No change - unless I need to restart routers this end?

Whats also interesing is that if I had a static address, i wouldnt have needed to request one, and I wouldnt now be paying £5 extra for one... a problem for another day... i simply need this VPN to work.

The traffic is UDP, its an IPSec VPN, which is problematic at best to trace...!

---

@keithdw wrote:

Whats also interesing is that if I had a static address, i wouldnt have needed to request one, and I wouldnt now be paying £5 extra for one...

---

While correct, the free static IP we added would’ve been dependent on the broadband firewall being active, and that this being always the way the service works in our network, because it didn’t used to need a static IP. It’s just in the last couple of years through some changes. 

No worries though, aye I’d try rebooting your router.

Let me know how it goes.

It may sound like a silly suggestion but I know it is.a valid check. Trying to establish a VPN from a connection within the same network boundary (LAN) wil fail. Connection has to be made from an external source.   If you cannot test this then an option is to disconnect the device to link from off your network and tether it via your mobile running a hotspot - then try to link to your VPN server 

Also, sorry, Im just chatting to the network engineer responsible for this VPN.

He can see inbound requests from my IP on ports 500 and 4500, and he can see responses being sent. Phase1 is completing at his end, it then sends effectively an ACK, to start Phase2.

What i cannot see in the logs is those responses being received... so Phase2 is never starting, the 'Phase1 retransmit reaches maximum count and times out'.

@akrypzs thanks for the response... yes, I can do that... i havent yet had a chance to, but it is the next step to confirm my internal IT department haven't done something daft with a patch... it would *not* be the first time!!!!

No joy after a restart. I'm going to take my laptop out and try tehtering it... this 'feels' like it might be the device not the network.

That said, someone on another plusnet forum suggested the routing was different for static addresses - is it possible that there's some merit in that? Are you able to trace specific traffic?

Routing is slightly different between static IPs, but nothing I’d have thought that would cause an issue, compared to dynamic IPs which aren’t routed the same way.

If anything a static IP should work better than a dynamic for a VPN, in the sense that sometimes, we see issues where something’s blocking a dynamic IP, which is generally from the VPN side of things. 

We don’t have any special tools to trace specific traffic, but you could try running a traceroute to the endpoint.

My knowledge I admit of networking is limited, but if @bobpullen is around, he may be able to help.