Switched to Full Fiber - SSH/VPN traffic not working, other port forwards fine?

james_s60 · ‎30-12-2025

Hi,

Just switched from Virgin Media (FTTP into a media converter to take it back to DOCSIS) to EE Full Fiber. I am using an OPNSense router connected directly to the ONT.

I have an SFTP server and a Wireguard VPN Server, both of which worked fine with Virgin, both of which no longer work after the switch to EE. Other traffic (eg HTTP over any port) seems to work fine.

There have been no LAN side or router config changes with the exception of enabling PPPoE on the WAN interface.

nmap shows port 22 or 52222 as filtered, canyouseeme.org shows as open, yet I cannot connect via SSH. Wireguard is also unable to establish a connection from EE mobile data. I'm on an 86.xx.xx.xx/32 subnet so no CGNAT either. I ran tcpdump on the sftp server, no packets hit the server. I ran tcmpdump on the wan interface of my router, also no traffic.

I called EE and got escalated to someone in the technical team, apparently EE do not block or filter anything by default, but I dont see how its possible that they arent blocking this traffic?

Any ideas?

bobpullen · ‎31-12-2025

@james_s60 - doesn't help your case any but FWIW, I have both a Wireguard and SSH server on my LAN running over an EE FTTP connection. Both work fine and are accessible from outside. Likewise, if I use a third party router (EE kit blocks incoming ping), then I can get an ICMP response too 🤷

Shot in the dark, but I wonder if it's worth you powering your kit off for an hour or two to see if you can get assigned a WAN IP from a different subnet. Perhaps the issue is something to do with how you're currently routed?

@james_s60 wrote:
I ran tcmpdump on the wan interface of my router, also no traffic.

On the WAN interface or on the virtual PPPoE interface? Not the same thing as I understand it.

Edit: also, what machine are your servers running on? Guessing it's not, but if it's Windows then have you ensured the network is set to 'private' and not 'public'? It has a tendency to sometimes default back to public when switching routers etc.

james_s60 · ‎06-01-2026

Hi Bob,

Thanks for the reply and apologies for the slow response, only just clocked it - same wavelength so good stuff 🙂

Great to hear yours works, thats genuinely promising as it does lean more towards a fault as opposed to malicious/intended blocking. Still waiting to hear back from EE's internal 3rd line networking team... As it happens, it seems ANY protocol bar plain HTTP, HTTPS, DNS are not working.

Tempted to disable DHCP6 on my wan interface entirely and remove the AAAA record from my domain to rule out any IPV 4<->6 Xnatting weirdness.

RE tcmpdump, both interfaces simultaneously

Servers are running a mix of Debian and Redhat so no firewalling or zone weirdness. This is a windows-free household 😉

Cheers 🙂

james_s60 · ‎06-01-2026

Gentlemen, it was FU**ING DNS...

Time to hang up my sysadmin hat in shame and swallow myself in 27 beers, maybe even some silkroad philosophy rock. A truly unacceptable error on my behalf.

EE - I owe you flowers and an apology. Please contact me to arrange this.

JimM11 · ‎06-01-2026

@james_s60 Enjoy all the beers, and one more step to keeping your VM return at bay!

james_s60 · ‎08-01-2026

Indeed haha!

@bobob @JimM11 - Do you guys have any idea how frequently your WAN IPV4 changes?

The other day I felt like a right idiot for discovering it was DNS, before later discovering that my IPV4 had changed almost every 12 hours! (forgive me for thinking it would last a little longer than that... lol)

I called EE to ask if they sell a static address, got a firm no.

Current solution is the Opnsense dynamic dns plugin + a cloudflare dns zone edit api. Seems to be holding so far, but that frequency of address change is silly! In theory DNS propagation is upto 48hrs so it borderline might not be possible to keep up. (I feel for those trying to get anything done on the stock router!)

Tonnes of brownouts in my area this week so wondering how sensitive the ONT is to power dips - possibly loosing its lease on reboot? - May be worth moving the ONT to my UPS when I get chance.

JimM11 · ‎08-01-2026

@james_s60 I am no longer an EE customer, but the wan IP was very sticky when the EE Smarthub+ was on and connected, think the longest in monitoring the Router for another reason not wan IP but at least 60Day's it had not changed and do think a straight on/off it did hold the wan IP fairly well, cannot say what a third party device would do probing the DHCP for a new wan IP would do though!

XRaySpeX · ‎09-01-2026

No, I've had my current IP for 41 hours & counting. That's just a snapshot taken when I saw you mention it. It has gone much longer in the past, at least 7 days.

If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE CS: Dial Freephone +44 800 079 8586 - Option 1 for Home Broadband & Home Phone or Option 2 for Mobile Phone & Mobile Broadband

ISPs: 1999: Freeserve 48K Dial-Up > 2005: Wanadoo 1 Meg BB > 2007: Orange 2 Meg BB > 2008: Orange 8 Meg LLU > 2010: Orange 16 Meg LLU > 2011: Orange 20 Meg WBC > 2014: EE 20 Meg WBC > 2020: EE 40 Meg FTTC > 2022:EE 80 Meg FTTC SoGEA > 2025 EE 150 Meg FTTP