

You are probably correct that the firewall is the culprit. Good suggestion.
I realize disabling the firewall for testing is OK, but I recommend looking up what it takes to open the ports or app in the firewall instead. I’ve spent my whole career running into and fixing instances where techs disabled firewalls for “testing” and never re-enabled them.
Being Linux, if you were really motivated, you could probably write a shim service that converted CEC to basic input that it does support, or someone out there probably already has.