We used to use Clearwire for a backup internet connection. We cannot afford to be off-line and Clearwire looked like a cost effective backup connection. While it was, the fact that Clearwire "managed" so many services forced us to stop using them. One major issue for us was that Clearwire was blocking traffic on specific ports that we need access to.

After speaking with their "tech-support" (who didn't know the difference between ICMP and TCP!) we determined they were not able to share with us the list of ports they blocked. Not to worry - we have a few machines in our data-center which are un-restricted and know how to use iptables to log traffic.

Clearwire's View on Blocked Ports

Our first step was to contact their "tech-support" (888-253-2794) to simply ask which serivces are blocked. Of course when we called they had unexpectedly high call volumes, so we had to wait roughly XXX minutes. Tech support was quite clear that services are not blocked they are managed. We also heard from tech-support that only port 80 is managed and they will not make any exceptions.

Determining Blocked Ports

Using one of our unrestricted servers in our Seattle data-center we scanned our machine. The scanning machine is a Super Micro octo-core running Gentoo with recent versions of the Linux kernel (2.6.27) and nmap (4.20). The machine being scanned was a Toshiba dual core laptop also running Gentoo 2.6.27. The laptop which was directly connected to the Clearwire modem had all network services stopped (output from netstat -anptu shows no listening ports). We used iptables (iptables -A INPUT -s [scanner ip] -j LOG]) to log the scanning.

From the scanning machine we ran a quick and dirty nmap scan and discovered 16 restricted ports. 

hydrogen ~ # nmap -P0 -T3 75.92.252.130

Starting Nmap 4.20 ( http://insecure.org ) at 2009-03-01 17:25 PST
Interesting ports on 75-92-252-130.sea.clearwire-dns.net (75.92.252.130):
Not shown: 1681 closed ports
PORT     STATE    SERVICE
1/tcp    filtered tcpmux
25/tcp   filtered smtp
55/tcp   filtered isi-gl
77/tcp   filtered priv-rje
80/tcp   filtered http
135/tcp  filtered msrpc
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
411/tcp  filtered rmt
412/tcp  filtered synoptics-trap
427/tcp  filtered svrloc
445/tcp  filtered microsoft-ds
548/tcp  filtered afpovertcp
631/tcp  filtered ipp
3689/tcp filtered rendezvous

Nmap finished: 1 IP address (1 host up) scanned in 8.864 seconds

In Depth Scan

Then we ran a slightly more through scan and received the following information from nmap. 

Interesting ports on 75-92-252-130.sea.clearwire-dns.net (75.92.252.130):
Not shown: 65516 closed ports
PORT     STATE    SERVICE
1/tcp    filtered tcpmux
25/tcp   filtered smtp
55/tcp   filtered isi-gl
77/tcp   filtered priv-rje
80/tcp   filtered http
135/tcp  filtered msrpc
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
411/tcp  filtered rmt
412/tcp  filtered synoptics-trap
427/tcp  filtered svrloc
445/tcp  filtered microsoft-ds
548/tcp  filtered afpovertcp
631/tcp  filtered ipp
3689/tcp filtered rendezvous
5298/tcp filtered unknown
5353/tcp filtered unknown
8770/tcp filtered unknown

Nmap finished: 1 IP address (1 host up) scanned in 1585.618 seconds
               Raw packets sent: 66528 (2.927MB) | Rcvd: 66120 (3.042MB)

From the resulting logs on the laptop, which were parsed with a simple PHP script we determined what iptables thought was not passed through. The script simply looks at what was passed through (and logged by iptables) and compares that to what was expected (all traffic). 

Port 1 Skipped
Port 22 Skipped
Port 25 Skipped
Port 55 Skipped
Port 77 Skipped
Port 80 Skipped
Port 135 Skipped
Port 139 Skipped
Port 445 Skipped
Port 5070 Skipped
Port 5500 Skipped

We ran similar tests over multiple days with our Clearwire modem in different locations - North Seattle, Ballard, West-Seattle and Redmond. In each case the results were the same.

Conclusion

Clearwire blocks more in-bound traffic than they tell you they do. Dishonest providers are undesirable.

Notes & Comments

please email me with more info on how to find out if clearwire is doing this to me.
I am a new customer and have had horriable service for just the first day my daughter has had nothing but trouble and she and I both have the same kind of Toshiba you write about. I was thinking a new better router I have a belkin G now and was going to get a Belkin N..
any advice will be greatly appreciated..I could cancel but I am unsure if I can get a port for verizon..or charter it is real strange I am thinking they have blocked the ports and that was why verizon told me there were no ports available../Sherry on 31 Jan 2010
Ive been trying to find some documentation on effective port forwarding with clearwire. As of yet, ive found no way of succesfully hosting anything using clearwire other than using Opera Unite. But this isnt a serious solution, just a work around for small things. If you are aware of, or come across any solutions for using a LAMP stack with port forwarding while using Clear as an ISP, would you be willing to do a follow up post?/illumin8 on 06 Apr 2010
Clearwire has throttled thier internet to control in/outbound bandwidth (traffic on the internet from thier customers). The ports you see above is a small list of which ports they block. The one that bothers me is Port 80-http. How the hell are you going to block a port used by most internet browsers. But city by city they are switching to 4G which will give the customers full access to what ever service you want to use. Gaming, downloading, streaming, etc, etc...

But I wouldn't believe a word they say. Considering it is still a wi-fi provider, their service will greatly reduce if they have a butt load of downloaders like my self after 4G kicks in. Personal opinion of course. Stick to land line internet, and stay away from wi-fi ISP's. Your belkin-G router should work just fine, unless you're streaming video to a TV, then yes a N class router would be better. Personally I would ditch the belkin G period, and get your self a D-Link. Never had a problem with them. If you can't afford it, then gra/John on 15 Apr 2010
I live in the Boise ID area, and have noticed rather extreem throttling of my favorite ip's. I have had the site that i stream video's from throttled to the point of standstill, and have experienced sudden modem resets during high usage.

Have you done any research into clearwires "management" thresholds?/Mike on 30 Apr 2010
Thank you for the information. I have noticed that Clearwire in Jacksonville, Florida is blocking port 77 on me. I have had no problems with their service or other with ports being blocked, but with your list I will know which ports to avoid./Mike on 01 Jun 2010
I have Clearwire and have noticed that if I stream more than 4-5 movies in a 24 hour window my transfer rates drop to almost completely block levels. I have also had my modem reset randomly while playing online video games.
I was wondering if you had any data to support this. or if you have tested the "management" thresholds for Clearwire's services./mike on 30 Apr 2010

Add Comment or Note