Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 62 replies
  • Subscribers 7 subscribers
  • Views 9902 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I can't Access Web Admin via WAN

Patrick

Hello ,

I have a sophos UTM 9.716-2. I can't connect via hostname from noip.com on port 4444. I can't connect via ssl vpn too. My ISP has cg-nat . I think cg-nat is the problem.

I try with success to setup a vps with wireguard to avoid cg nat. Now I got a new IP from vps.  If I write on GNU/linux  traceroute public ip show that I am not on cg-nat.

I have in Webadmin settings -> General -> Allowed Networks has ANY, Internal (Network), VPN Pool (SSL)  but problem not solved.

How can I ascess web admin via wan ???



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Patrick

    your selected option is the one i would use too.

    But tcpdump -nei any host xxx.yyy.zz.zz

    or

    tcpdump -nei any | grep xxx.yyy.zz.zz  is also an option


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Thanks you for replying!

    Dirk nothing show from cell phone's LTE connection.

    The packest can't reach to hostname:4444.....Did you see my topology above? I attach a picture. router behind sophos UTM  forward all packets with iptables. Nonthing block sophos utm. (I think?)

    The only thing that works is

    1. ONLY https://dynDNS.hostname <--- without 4444 ONLY FROM LAN  show the user portal

    2. SSL VPN with port udp 443 ONLY FROM LAN

    Something block to reach packets to https://dynDNS.hostname:4444 from wan....

    Dirk do you have any idea?

    Please for anyone here. I have this problem with CG-NAT over 1 year. PLEASE if someone has bybass CG-NAT I would like to post it here to help me.....

    Thank you!

  • 0 in reply to Patrick

    Get a port scanner app on your phone. 

    Disable intrusion detection entirely (or at least the port scanning protection).

    Create a fw rule at the top to block everything from internet (ipv4/6), service any, destination wan ip. Something like this;

    Open utm live log, then run it against your utm public ip. You should be seeing a bunch of hits. Maybe not on all scanned ports, but some/most. If you're not, try scanning specific ports such as 80, 443, 8000, 8080, 8443. These are commonly used for web traffic.  If you see this traffic then it could very well be that your cg-nat lte provider is blocking certain ports.  Surprisingly, att (the cgnat provider I use) has all ports open, even outbound 25 (SMTP).

    Edit.  The same of course could be done with tcpdump, but perhaps the utm interface will be easier for you to use/understand.

  • 0 in reply to Jay Jay

    Your example was illuminating. Jay port scanner show the truth. The only port that was open is port 22 for ssh. I have to say that I have a normal use p2p programs, torrent client and web sites 443 and 80 port. I don't understand why port scanner show only port  22.

    Anyway as you see above in my network topology, I have a router (nanostation) that take internet via wifi then via ethernet send all traffic to raspberry that runs wireguard vpn as client  then send to vps that run wireguard server there....then back to raspberry with IP from vps....then send  all traffic via ethernet to utm. All traffic is forwarded with iptables. I cannot explain what is the problem.

    I forgot to say that Live Log: Firewall not show something from outside wan when port scanner is working via cell phone's LTE connection

    What is next step?

    Thank you Jay...

  • 0 in reply to Patrick

    You got too many layers involved.  Need to test each layer to see if traffic is getting passed. Based on your pic, UTM appears to be a far endpoint.

    Confirm your vps is even passing such traffic.  Where is the vps?  I haven an aws ec2 instance. I can adjust what ports are allowed in. I would start there.

  • 0 in reply to Jay Jay

    What do you mean layer? Do you mean devices behind utm? Like nanostation and raspberry? If yes ....How can I test port for those devices?

  • 0 in reply to Jay Jay

    Jay are you tired to explain me? I used nmap to test ports on raspberry . I used iptables that forward all traffic to vps. then from raspbbery with second ethernet port internet goes to utm. I have internet normal from publi ip from vps.

    I think only hostname can't  reach to sophos utm.

    Do you have any idea how to check again my raspberry and ubiquiti ? In ubiquiti I tested with ping ....All results are ok.

    If you have any idea, please post it here!!!

    Thank you Jay

Unfiltered HTML