Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1097 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pls help me out with SSL VPN Remote Access through Carrier-grade NAT (CGNAT) !?

J Thai

Hello everyone,

My router runs on 2 WANs. WAN #1 has a static IP address, WAN #2 has a dynamic one. Today, I have just unplugged WAN #1 for testing SSL VPN connectivity solely via WAN #2 only and it did not work. Here is my DDNS settings & FreeDNS personal page.

What have I got wrong ? I look forward to your help. Thank you in advance.



This thread was automatically locked due to age.
  • 0

    103.129.?.? is your current external IP at the dynamic WAN interface?

    Do you have multiple WAN connected to the firewall or to the router before the firewall?

    Do you use the FQND within your VPN-Configuration? (check ovpn-file) 

    FreeDNS is responsible for the DNS-Settings of Domain chickenkiller.com?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Why are you asking me so many questions ? I’m stuck right here and have already been very confused.

    I’m no CCNA/ CCIE technician, so if you can help me out with any advices, it will be highly appreciated.

    Thanks in advance buddy. 

  • 0 in reply to dirkkotte

    Regarding your questions:

    1. 103.129 something. I don't know.
    2. My Sophos XG is operating in mixed mode, both as a router and a gateway.
    3. I don't have an FQND. My device's common name is its Sophos serial number.
    4. Chickenkiller is one of the sub-domains listed on FreeDNS. I don't know who is in charge of whom.

    The Sophos XG system, albeit a very functional and professional one, is very challenging for non-IT-technical people like me. It brings me down to a very steep learning curve. Every time I put up a question up here, I have already been bogged down and been doing my best to get up and working on it again. Please don't bombard me with too many questions like this.

    I look forward to your advice on my situation. Thanks in advance.

  • 0 in reply to J Thai

    sorry, i only try to understand your problem ...

    seems 103.129.x.x is not your IP .... so your question may be "why my dyndns-name don't reflect my IP" ...

    there must be an ISP Router  before your Firewall, because 192.168.5.193 is not a public internet-IP.

    Possible the internet-side of this router has the 103.129.x.x address?

    What do you see, if you disconnect the fixed-IP-connection and open wieistmeineip.de ?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hello buddy, thanks for your reply.

    I have checked on both the Sophos XG and the FreeDNS page and can confirm that the ddns WAN IP is the same. However:

    dirkkotte said:
    192.168.5.193 is not a public internet-IP.

    This is the problem, my WAN #2 connects to a mobile SIM router, which is mostly certain to run through a Carrier-grade NAT (CGNAT), which makes VPN remote access all but impossible without configuration ( https://superuser.com/questions/1714495/unable-to-setup-port-forwarding-through-dynamic-dns-ddns ). I have managed to search through the Internet and come up with 2 possible solutions:

    _Solution #1: https://www.purevpn.com/blog/cgnat-port-forwarding/ 
    _Solution #2: https://community.ui.com/questions/Site-to-Site-VPN-with-one-side-behind-carrier-grade-NAT/8db4b74f-e92d-465a-b6a8-3c3b68dea737#answer/73473dce-ad7c-4a56-b450-49694db5da38 

    Which one is more plausible and can be implemented on the Sophos XG system?

    Thanks again buddy.

Unfiltered HTML