Postgres being blocked by Verizon

I have a Postgres database being accessed by a Xojo Desktop app (2018 r3) that is working well in multiple locations.

A single client recently got a new modem and router from Verizon that appears to be blocking SSL communication to the server on port 5432. I go to the security log of the router and see my server’s ip address and port in the list of blocked sites. There is a setting in the router to decrease security settings and when I change that setting, things seems to work well.

Then the next morning, everything reverts back to the way it was. They ended up replacing the Verizon router with a different router (only using the Verizon modem) and things were working well again - but only for a short time. Now, when they log into the database, they either can’t log in or get kicked off.

Does anybody have experience with Verizon blocking SSL?

Didn’t we tell for years to not directly talk to database over network?
Maybe Verizon things that’s not a good idea and blocks it.

You may go with a VPN or SSH tunnel.
(MBS Xojo Network Plugin has SSH2TunnelMBS class)

It’s not a good idea to expose your database to the Internet. Having said that…

PostgreSQL can only listen on one port. But you can use port forwarding on the host OS to enable multi-port listening. So you could add a port for a common service that Verizon would not block but that is also not running on that server. 80, 443, etc. Your client app would have to be modified to use the port though.

Building a web API layer to talk to your database deals with this problem as well as provides numerous other benefits. I’d seriously consider this as a point of inflection to look at ways to address this. Perhaps as an immediate work around, using what Christian is pointing to with the tunnel/vpn approach as clearly it will take some time to evaluate if it’s worth the effort to build an API tier for the project. I’ve been on networks that block this traffic as well though. If this is an application that mobile users access, it’s not uncommon for networks to only allow http/https in hotel wifi settings.

After all that, it turned out to be a bad ethernet connector (of course).

However, you have already got me working on establishing an ssh connection to the database. I tried it out manually opening an SSH tunnel using a local port of 7777 and the remote port of 5432 and all worked fine. So then I created a new user on the server (Ubuntu) with nologin but I can’t figure out how to open an SSH tunnel for that user.

I was reading that you are more secure if you have a user where the only privilege is SSH to port 5432 (by setting up the user with nologin) - but I keep getting password errors when trying to open the ssh tunnel.

Is there a setting missing somewhere?