Setup Will Not Complete: Error - Connection Refused


  • Purchased Teleport kit for the sole purpose of connecting to home network while traveling.

    Home Network: Charter/Spectrum > Arris Telephony Modem TM1602A > Netgate SG-2440 with pfSense 2.4.3-RELEASE-p1 > Ubiquiti EdgeSwitch ES-24-250W > AmpliFi HD > No Clients

    AmpliFi HD: Set to bridge mode. Static IP address with a port designated via web GUI. AmpliFi remote access is enabled and confirmed operational.

    Teleport Device: Initially set up device following instructions. Traveled to a remote location 200 miles distant. “Completed” setup at remote location. However, I never saw the final screen indicating connection finalized and Teleport blue circle LED continuing to flash Despite this I was able to access my home network. I confirmed this by accessing a file server on my home network. Additionally, my device’s IP address was the same static address that is assigned by my home network’s DHCP server. While the local library’s WiFi’s DHCP server assigned a private IP addresses in the 192.168.1.0/24 range.

    I then tried to complete setup via my local library’s WiFi. Setup failed: “Connection failed - Connection refused – Timeout”. When Teleport Connectivity tested via AmpliFi app initially both Local and Remote connectivity had checks next to them. UPNP was reported as not needed. Now Teleport Connectivity reports Remote: “Connection failed - Connection refused – Timeout”

    pfSense: Port forwarding both TCP and UDP from WAN address to AmpliFi HD static IP address set up. pfSense auto-created firewall rule to allow traffic. Home network private IP address is not in conflict as home network IP subnet range: 172.X.X.X/24. A site-to-site VPN via OpenVPN operational between my Netgate SG-2440 and second pfSense box at a remote location 14 miles distant.

    Please note that the site-to-site VPN and the AmpliFi HD are assigned different ports. So there is no conflict here. I tried again today to connect from my local library’s WiFi network without success. Same error seen. Might some additional tweaking to pfSense’s firewall rules be necessary. If so what? As I have both port forwarding and WAN firewall rules set up?

    I have been working with AmpliFi support and have previously submitted files generated by both my AmpliFi HD and Teleport devices. The support ticket number is 99367. I generated three support files and one screenshot. The screenshot I have uploaded with this post and shared the support files by email under the ticket number above.

    0_1532360978400_Screenshot from 2018-07-23 10-12-15.png


  • @charles-guernsey Hi Charles! Thanks for the detailed description and the support files. We'll review them by tomorrow.


  • @ubnt-gunars Many Thanks...


  • @ubnt-gunars I tried connecting again today from my local public library. Teleport setup successfully accomplished: local connection, Internet and AmpliFi router steps. Setup failed again at the home network step. Connection refused being reported again as the cause of the failure. I now suspect that I have firewall problem.

    Two firewall rules have been created. One for port forwarding and one for the firewall. pfSense Automatically created the firewall rule.

    Port Forward Rule
    • Action: Pass
    • Interface: WAN
    • Address Family: IPV4
    • Protocol: TCP/UDP
    • Source: Any
    • Destination: Single host or alias
    (Used the static IP address of my AmpliFi HD and port assigned to it via the web GUI)

    Firewall Rule
    • Action: Pass
    • Interface: WAN
    • Address Family: IPV4
    • Protocol: TCP/UDP
    • Source: Any
    • Destination: Single host or alias
    (Again, used the static IP address of my AmpliFi HD and port assigned to it via the web GUI)

    I am a relative newbie with respect to pfSense. As a consequence, I may have configured port forwarding incorrectly which would resulted in a incorrectly configured firewall rule. This given rule auto-generation. Additionally, I am thinking that I might be missing a rule. One that permits Teleport VPN traffic to and from the LAN and causing the connection to be refused. Any help will be greatly appreciated.


  • @charles-guernsey thanks, Charles. We didn't look at your support files yet – will do that by tomorrow. You can use a mobile hotspot for Teleport to try different firewall settings without leaving home.

    I wonder what your ISP router settings are. Does it put the security appliance in DMZ, or have IP passthrough set for it? Is there a firewall on the ISP router too?

    Edit: router periodically sends "where to find me" updates to our pairing cloud. What if the reported public IP address is from the other point in your site-to-site VPN setup? You could check this by searching "what's my public IP address" on Google.


  • Many thanks for your reply. Regrettably, I live in a cellular service “dead zone”. In order to use my mobile phone an any capacity I need to utilize WiFi calling, which does not provide a second public IP address. So, the local library is the closest/only option for a second public IP address.

    Charter/Spectrum in this area deploys various models of the Arris Telephony Modem. It is not a router. It does not have WiFi capability. And to my understanding it does not have a firewall. My device is model TM1602. To access the mode’s diagnostic web page I have read that one navigates to 192.168.100.1. I have never done this.

    The modem has one (1) gigabit ethernet port and two (2) telephone line ports. It passes the Charter/Spectrum supplied public IP address to any device connected to the sole ethernet port. As a consequence, my Netgate SG-2440’s WAN port is assigned the public IP address. Which is in the 172.X.X.X range.

    With respect to the pfSense OpenVPN site-to site VPN I do not see a mechanism for the remote sites public IP address being transmitted to the Teleport. Additionally:

    1. Teleport setup reports finding the AmpliFi HD on my home’s network. It is the home network connection that fails.
    2. If the remote site’s public IP address were somehow substituted I would think that Teleport Setup would fail at connecting to an AmpliFi HD router as none exists on that LAN.
    3. The laptop which connected to the Teleport via WiFI, is assigned the static IP address from the pfSense LAN DHCP server. This is in the 172.18.X.X range. If I were somehow linking to the remote site’s pfSense DHCP server, it would not be assigned a private IP address in this range. As it’s MAC address is not listed form IP address assignment and all non-listed MAC address are rejected.
    4. The site-to-site VPN uses a fully qualified domain name. As I do not have a static IP address at either site. As such, I use No-IP’s DDNS service.
    5. pfSense’s Interfaces and DDNS Status widgets report the same IP address as does ipinfo.io.

    Leaving the current rules in force I am going to add a rule to pass traffic from the AmpliFi router to the LAN as follows:

    Action: Pass
    Interface: LAN
    Address Family: IPV4
    Protocol: TCP/UDP
    Source: Single host or alias
    (Used static IP address of my AmpliFi HD and port assigned via the web GUI)
    Destination: Any
    Gateway: WAN DHCP

    I greatly appreciate your follow-up.


  • @charles-guernsey said in Setup Will Not Complete: Error - Connection Refused:
    Hi Charles!

    As a consequence, my Netgate SG-2440’s WAN port is assigned the public IP address. Which is in the 172.X.X.X range.

    Just knowing the most significant byte is not enough to tell whether IP is public or private. The range 172.16.0.0 – 172.31.255.255 is actually private. So please double check what are the two most significant bytes of the pfSense WAN IP. If it falls into this private range, then you have double NAT and another port forwarding rule needs to be created on your ISP modem which does the NAT before pfSense.

    Please also make sure that pfSense port forwarding rule does not change the ports when mapping external to internal ports. In your case, it should look like X (external) -> X (internal) where X is the port you have configured using AmpliFi WebUI (manual port for Teleleport). Also make sure pfSense port forwarding rule forwards this port X to the IP of your AmpliFi router which is private address 172.18.0.191 (static in your case).

    Otherwise, I don't see any apparent issue based on support info files you have provided.
    In order to isolate the issue you can try to create a port forwarding rule towards AmpliFI port 80 (Web UI) similarly as you did for Teleport manual port and then connect to the WAN IP and port 80 of pfSense from some other network (public library, for example) to make sure that you can access the WebUI.

    The laptop which connected to the Teleport via WiFI, is assigned the static IP address from the pfSense LAN DHCP server.

    It's because Teleport in isolated mode (when not connected to the Router) uses the same LAN subnet which is synced over the Cloud.


  • @ubnt-andrey My thanks to everyone for the help. After pondering things overnight I also came fully to the conclusion that I am dealing with a firewall rule issue. With respect to your specific points:

    1. The IP address reported by pfSense lies in a Charter/Spectrum public IP range: 172.222.X.X
    2. The external and internal ports numbers are the same in the mapping.

    I might have a work around for the mobile hotspot issue. If it works, it will greatly facilitate my trialing firewall rule changes. If I am able to come up with an answer I will post it here. Again my thanks.


Log in to reply
 

Looks like your connection to AmpliFi was lost, please wait while we try to reconnect.