This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I can't Access Web Admin via WAN

Hello ,

I have a sophos UTM 9.716-2. I can't connect via hostname from noip.com on port 4444. I can't connect via ssl vpn too. My ISP has cg-nat . I think cg-nat is the problem.

I try with success to setup a vps with wireguard to avoid cg nat. Now I got a new IP from vps.  If I write on GNU/linux  traceroute public ip show that I am not on cg-nat.

I have in Webadmin settings -> General -> Allowed Networks has ANY, Internal (Network), VPN Pool (SSL)  but problem not solved.

How can I ascess web admin via wan ???



This thread was automatically locked due to age.
Parents
  • I try to connect to webadmin from my cell phone's LTE connection to https://dynDNS.hostname:4444 ....then I am in shell then I write tcpdump -nei any port 4444

     then I don't show my cell phone's IP.

    I think the request don't reach on my sophos UTM.

    Is there other tcpdump to capture      to   cell phone's LTE IP ????

  • Get a port scanner app on your phone. 

    Disable intrusion detection entirely (or at least the port scanning protection).

    Create a fw rule at the top to block everything from internet (ipv4/6), service any, destination wan ip. Something like this;

    Open utm live log, then run it against your utm public ip. You should be seeing a bunch of hits. Maybe not on all scanned ports, but some/most. If you're not, try scanning specific ports such as 80, 443, 8000, 8080, 8443. These are commonly used for web traffic.  If you see this traffic then it could very well be that your cg-nat lte provider is blocking certain ports.  Surprisingly, att (the cgnat provider I use) has all ports open, even outbound 25 (SMTP).

    Edit.  The same of course could be done with tcpdump, but perhaps the utm interface will be easier for you to use/understand.

  • Your example was illuminating. Jay port scanner show the truth. The only port that was open is port 22 for ssh. I have to say that I have a normal use p2p programs, torrent client and web sites 443 and 80 port. I don't understand why port scanner show only port  22.

    Anyway as you see above in my network topology, I have a router (nanostation) that take internet via wifi then via ethernet send all traffic to raspberry that runs wireguard vpn as client  then send to vps that run wireguard server there....then back to raspberry with IP from vps....then send  all traffic via ethernet to utm. All traffic is forwarded with iptables. I cannot explain what is the problem.

    I forgot to say that Live Log: Firewall not show something from outside wan when port scanner is working via cell phone's LTE connection

    What is next step?

    Thank you Jay...

  • You got too many layers involved.  Need to test each layer to see if traffic is getting passed. Based on your pic, UTM appears to be a far endpoint.

    Confirm your vps is even passing such traffic.  Where is the vps?  I haven an aws ec2 instance. I can adjust what ports are allowed in. I would start there.

Reply
  • You got too many layers involved.  Need to test each layer to see if traffic is getting passed. Based on your pic, UTM appears to be a far endpoint.

    Confirm your vps is even passing such traffic.  Where is the vps?  I haven an aws ec2 instance. I can adjust what ports are allowed in. I would start there.

Children
  • What do you mean layer? Do you mean devices behind utm? Like nanostation and raspberry? If yes ....How can I test port for those devices?

  • Jay are you tired to explain me? I used nmap to test ports on raspberry . I used iptables that forward all traffic to vps. then from raspbbery with second ethernet port internet goes to utm. I have internet normal from publi ip from vps.

    I think only hostname can't  reach to sophos utm.

    Do you have any idea how to check again my raspberry and ubiquiti ? In ubiquiti I tested with ping ....All results are ok.

    If you have any idea, please post it here!!!

    Thank you Jay