Issues from your ISP

Just wanted to get a some information on how many people have had issues with their ISP. Last Thursday my ISP started blocking my 8444 port. Using my port has been open since April of this year, I port forwarded in my router to the IP of my farmer, way back then. No issues till last Thursday.

Comcast is working on the issue, Xmas is coming right…

I am also on Comcast. Just checked that port checker, and it shows that 8444 is closed (have never checked it before). However, I depend on chia doing UPnP to open/close ports on my router.

Although, I don’t see any problems, but maybe I am just unaware of those. What problems do you see?

When I setup my router months ago and port forwarded 8444 (TCP/UDP) to my main node farmer the port was open. Which modem (gateway) do you have? I just upgraded to the XB7 which is their latest but still the port is blocked. I setup my router with a fixed IP and put that in the cable modems DMZ. And it’s been working for 9 months plus.

Yes, I can port forward that port, no problem. That is not the issue. Again, I don’t think that I have a problem.

Looking at the installation guide, you don’t really need to open that port - “If you want more peers and better network connectivity, you should also try opening port 8444 on your router so other peers can connect to you.”

That section is kind of misleading (IMO) for two reasons. The first is “If you want more peers.” The number of peers your node will try to maintain is specified in config.yaml (target_peer_count). If you see that many peers in your Connection section, your node will not accept any more connections whether that port is open or closed.

The second is “If you want … other peers can connect to you.” This is P2P network, so all peers are equal. There is no difference for a node, whether it connect to peers up to the specified limit, or it let peers connect to itself - basically, the same end result.

Although, from the whole network point of view, maybe having that port open is preferred. Assuming that all nodes will have that port closed, that would lead to a situation where there are plenty of nodes out there, but no one is accepting any connections, so all nodes are isolated - nothing works. Although, I don’t know how Chia is using UPnP, so maybe even with that port closed for that port checker, it opens that port for some specified peers, so they can connect (basically white-listing some peers)

Lastly, this statement “better network connectivity” is a bit vague. Not knowing what that means, rater implies to ignore that (as I said, I don’t think I have any problems).

Although, the main difference for me is the security. If that port is closed, it means that the node will get a list of available peers from somewhere (config.yaml - introducer_peer), and only open connections for those peers. That limits the possibility of some rogue entity from trying to hack such node.

Sorry, another long one, and a bit off topic. Although, my understanding was that chia is using UPnP to open that port for anyone. Maybe that is not the case. So, the fact that my port is closed looks like have no value with respect to your original problem (Comcast blocking that port).

Although, what all that would imply is that even if Comcast will decide to ban all of us, that just will not work. So, unless you really see / have problems, maybe you should not worry about that.

I have Comcast.

Can I assume that as long as I am staying synced, and I have plots passing the filters, that I have whatever connectivity is needed for Chia to do its thing?

Yes, your full node just needs peering with other full nodes. Peering can happen originating from your client (taking the initiative, outbound) and receiving (initiative from another full node, inbound). If however too many full nodes will not be reachable for inbound connections (port 8444 closed) it will get difficult to initiate outbound connections also (no one to talk to, like everybody wearing headphones on the bus these days… :wink:)

This is a very dangerous thing!!! DMZ is not selective (8444) port forwarding but sending all inbound connections (all ports, all inbound IP’s) trough to the assigned IP. It’s leaving all doors and windows open in your house. Hopefully you have some very tight firewalling on the system itself, but you really can’t trust your system to be clean anymore.

Could it be you just upgraded before noticing port 8444 was closed?
If you really set DMZ on your new router it may well be comcast protecting you by blocking all inbound connections to your ip…

Could you substantiate that, please. My understanding is that DMZ is just a separation between two zones, where one (private) can access the other, but not other way around. That means that in order for DMZ to get anything inbound (from public side), port forwarding is still needed. Your interpretation is more like a bridge mode, but with IP flipping.

Although, it may be that different vendors set up their DMZs differently.

I have never used my cable modem / router’s DMZ port. But as I understand it, it puts your connected computer(s) directly on the public internet – no NAT protection.

@drhicom is your Chia rig, that is connected to your DMZ port, using a private class IP address (such as starting with 192.168 or 10.0, etc)? Private IP addresses cannot be seen by anything on the public internet. TCP/IP will not connect a public IP address to a private IP address. That is the job of your router’s NATing.

But if your Chia rig (the one connected to your DMZ) has a public IP address, then any computer on the internet can blast away at it, and your only protection is your rig’s own firewall. Even if your firewall is first class, it is seeing every access request (good or bad).

So is your DMZ connected rig using a private or public IP address?

DMZ is not a separation between zones but a seperate zone itself, between a highly secured internal network and the internet. But for concept you’d need two firewalls.
Internet -FW- DMZ -FW- Internal Network.
Homerouters (the ones i know) implement a very rude form, where your internal network becomes the DMZ… without any additional firewalling.

Pretty sure it still has a private ip.
But still DMZ feature in routers is more like a ‘port forwarding for all ports in one click’ than a real DMZ from the textbooks so all incoming connections on the public ip are routed straight to the internal ip assigned.

An easy test would be to use a port scanner, not for just 8444 but all ports it supports.
Even when that results in closed that may well be the software firewall on the system but I wouldn’t want to bet on known weaknesses in those firewalls…

1 Like

I guess, we are splitting hairs. DMZ is “demilitarized zone,” where the private part is your “private zone.” Two exactly same things. What makes one DMZ, is that you should only expose your private part in the DMZ. Also, to make life easier, you may want to open the connection from your private to DMZ (but not other way around), so you can manage it potentially in a simpler way. With home networks, more and more apps require port forwarding, so those routers support UPnP to do that, what basically violates what is exposed and where. Still, having that DMZ not able to reach into the private zone is a good part.

Yes, (IMO) properly implemented zones require physical separation (three+ NICs), and those home routers don’t have that (therefore it is a logical separation). Still, my understanding is that on those home routers you have the same NAT on both sides (same port forwarding), but the only difference is that your private zone can see the DMZ, where your DMZ is not aware about your private part.

Take a look at wikipedia.
“exposes an organization’s external-facing services to an untrusted, usually larger, network”

They explicitly say “external-facing services” and not “all inbound ports.” In the middle of that document, they also list examples of those services.

Although, I don’t have that much (if any) experience with setting up DMZ on home networks (if needed, I would go for a double NAT for the private part).

It has to, as otherwise that zone would be in bridge mode, as such the private part would not work.

I take it back (about forwarding all ports). Here is Netgear blurp about DMZ. As you stated " DMZ opens up all the ports for one IP address on the LAN"

That really suck. I guess, double NATting is the way to go.

I guess, wouldn’t want to argue with wikipedia either :wink:
My point is that in home routers the term DMZ should not be used because it realy does something else.
Marketing wise DMZ just sounds nice i guess, but it’s confusing.

Another thing, you said you depend on chia using uPnP to open/close needed ports on your router.
uPnP is another feature on routers specs list but (thankfully) default disabled in most. If it’s still disabled on yours I can understand why the 8444 portscan resulted in closed. Chia client want to talk uPnP to the router but the router is deaf. If you enable uPnP on the router it’s not only the chia client that can open 8444 in the router’s firewall but all devices/software on your local network that want use uPnP to open any ports it sees fit.

1 Like

100% agree with that.

Thank you for that!

Checked my router, and it has UPnP enabled, and still that port looks like is closed. So, maybe I was wrong that chia is using UPnP, maybe it works, just because for outbound connections, there is no need to port-forward anything, thus no need for UPnP.

Yeah, I participated in DLNA meetings, where they were discussing opening ports for operators to be able to “monitor” private devices (e.g., Comcast being able to disable apps on your computer). I was the only one objecting to that, but maybe I was the only one that didn’t represent a big company that had an interest in having full access to those computers.

Maybe consider turning it off. It’s not doing anything for you that you can’t do in a more controlled manual way and poses some nasty security threats.

Here’s a youtube video from nordvpn explaining pro’s and cons.

Think of it this way, even with upnp your computer(s) could probably still be save, due to firewall/virusscanners running (on most anyway these days). But how about your dishwasher, ip camera’s or other IoT devices…

What started this search, was when I brought my browser and (farmr) it didn’t come up. I just checked port 8444 and it was closed. And when I spoke with Comcast they told me that my gateway was end of life and should replace it. But the port still isn’t open. And if I want to put an IP cam using port 8500 thats closed also. And that’s needs to be found out why.

To answer your question, all of my equipment, servers, PC’s and Ip cameras are connected to my Netgear router on a 192.168.x.x and the input to that router (10.0.0.x) is connected to my Comcast cable modem (gateway) in the DMZ. I handle all port forwarding in the Netgear router. I could put the Comcast in bridge mode, but then my alarm wouldn’t work. Still waiting for the security group from Comcast to which I spoke to yesterday to get back to me. Then question is why did they shut down a range of ports?