Switched to Full Fiber - SSH/VPN traffic not working, other port forwards fine?

james_s60 · ‎30-12-2025

Hi,

Just switched from Virgin Media (FTTP into a media converter to take it back to DOCSIS) to EE Full Fiber. I am using an OPNSense router connected directly to the ONT.

I have an SFTP server and a Wireguard VPN Server, both of which worked fine with Virgin, both of which no longer work after the switch to EE. Other traffic (eg HTTP over any port) seems to work fine.

There have been no LAN side or router config changes with the exception of enabling PPPoE on the WAN interface.

nmap shows port 22 or 52222 as filtered, canyouseeme.org shows as open, yet I cannot connect via SSH. Wireguard is also unable to establish a connection from EE mobile data. I'm on an 86.xx.xx.xx/32 subnet so no CGNAT either. I ran tcpdump on the sftp server, no packets hit the server. I ran tcmpdump on the wan interface of my router, also no traffic.

I called EE and got escalated to someone in the technical team, apparently EE do not block or filter anything by default, but I dont see how its possible that they arent blocking this traffic?

Any ideas?

james_s60 · ‎06-01-2026

Gentlemen, it was FU**ING DNS...

Time to hang up my sysadmin hat in shame and swallow myself in 27 beers, maybe even some silkroad philosophy rock. A truly unacceptable error on my behalf.

EE - I owe you flowers and an apology. Please contact me to arrange this.

View solution in original post

james_s60 · ‎30-12-2025

Updates:

Just for the hell of it, I plugged in the EE supplied router again, made zero changes apart from a port forward rule, set up an ssh server on my laptop, sure enough - still no dice.
Called EE, they reluctantly-ish agreed to open a case with openreach after mentioning that this was a dealbreaker enough issue to take me back to VM.
Tried SSH on common ports like 80 and 443 to see if I could trick the port filter, no dice.
Nord VPN works via NordLynx protocol, but not via openvpn. Both work on EE 4G.
ICMP also appears to be blocked as I cannot even ping my own WAN addr, even with a temporary any any rule on my firewalls wan interface. My mother is also EE, stock router stock settings, also cannot ping her WAN addr.

Waiting on callback from Openreach, however, I suspect the blocking would be EE side as it would be commercially advantageous for them.

JimM11 · ‎30-12-2025

@james_s60 VM move is your better choice don't waste time waiting on EE to sort anything out, should have done your homework before switching!

james_s60 · ‎30-12-2025

Well, lets see what openreach come back with. Theres a whole list of reasons Ive been keen to move away from VM and cityfiber isnt in my area yet.

I did ensure no CGNAT before signing up and couldn't see anything to imply EE block anything (as the official stance is that they dont). On paper it should work.

JimM11 · ‎30-12-2025

@james_s60 Then just keep the supplied EE Router on the wan connection, anything else you will have NO support!

james_s60 · ‎30-12-2025

Issue persists with the EE router too though, its clearly filtering the packets somewhere upstream. Seemingly anything bar HTTP HTTPS DNS isnt playing ball.

JimM11 · ‎30-12-2025

@james_s60 It's your choice, put your opnsense router on and watch everyone walk away!

XRaySpeX · ‎30-12-2025

You'll get no callback from OR. Your contract is with EE. OR don't talk to end-users other than regarding any visit when they are acting on behalf of EE.

If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE CS: Dial Freephone +44 800 079 8586 - Option 1 for Home Broadband & Home Phone or Option 2 for Mobile Phone & Mobile Broadband

ISPs: 1999: Freeserve 48K Dial-Up > 2005: Wanadoo 1 Meg BB > 2007: Orange 2 Meg BB > 2008: Orange 8 Meg LLU > 2010: Orange 16 Meg LLU > 2011: Orange 20 Meg WBC > 2014: EE 20 Meg WBC > 2020: EE 40 Meg FTTC > 2022:EE 80 Meg FTTC SoGEA > 2025 EE 150 Meg FTTP

james_s60 · ‎30-12-2025

Not a helpful response though is it.

The opnsense router was a non issue with virgin and there have been zero config changes. EE do not forbid third party routers, they have support articles for such on their own website. But most importantly of all - the issue persists on the EE router!

james_s60 · ‎30-12-2025

Thanks for the comment - I did think this strange, but thats what the EE guide said.

Ultimately EE are leasing the OR back haul, but still have their own ISP infra, so while they may have an escalation team for issues outside of their control (eg line damage), im surprised they don't have an internal tech team that would investigate first (especially considering that logically, the issue would most likely lay with them).

Even with the EE router in place, they had a very "dont care" first line attitude towards it with no offer of escalation past logging a fault with openreach.

The guide did seem a bit "first line" - do you think its worth calling again?