ArduinoOTA’s protocol tries to connect to the host which is trying to program the device on a randomly chosen port. This often leads to the packets being filtered in a firewall since no rule exists to pass the packet and they are not related to an existing connection.
You could create a firewall rule to pass all traffic from the ESP8266/ESP32 to the programming host, but that is extremely insecure since it allows a hacked IoT device to hack your devices.
In order to fix it, add a fixed host port in platformio.ini using
upload_flags = --host_port=55910
and add these firewall rules:
allow from <programming host> to <IoT device> port 55910 TCP allow from <IoT device> to <programming host> port 55190 TCP
Complete platformio.ini example:
[env:d1_mini_ota] extends = env:d1_mini upload_protocol = espota upload_port = 192.168.178.25 upload_flags = --host_port=55910