there is no need to open a port in the firewall.
The only thing which has to be done is to allow outgoing connection.
If you Router is a simple soho-device with NAT, just make sure, that any firewall in the router is turned off.
Check, if the Device shows either GRPS or EDGE in Capital letters. If it does not, talk to your mobile service provider and tell him to provision the device for Blackberry Enterprise Service.
Even, if EDGE or GPRS is on, your provider might block traffic to blackberry. To check this:
in the options Menu of the device, advanced options, look into the HRT table. Open the bold printed entry. If it does not show an APN like blackberry.net, also your mobile operator has to fix this.
If all the above is ok, but activation is still not possible, reboot the machine where the BES runs. Then manually create a simple activation password for the user and again try activation.