I can't Access Web Admin via WAN

Do you understand this topology? I am not very good to drawing....I am sorry!

That‘s perfect, it‘s much easier for me to understand your Network.

But i have to say that this configuration seems really complex to me.

Maybe it‘s possible to acces some logs, beginning at the VPS to check to where the Traffic does get routed and where it is blocked on the way to the Sophos UTM. Also check if the VPS is not blocking some Ports. Sometimes this is done to protect customers who are not familiar with with public IPs.

I think the chance that we can solve this Problem in this Forum is rather small. Best would be to ask a friend with some Network Knowledge or a IT-Company to help you. They can access your Devices and logs and try to solve it together with you.

regards, Michael

My configuration is like yours  vpn Tunnen is behind sophos UTM. Please send me your topology. I am able to change my topology.What do you suggest me?

VPS not block ports. 

Michael I cannot find someone with knowledge. Most of the people not know what is CG-NAT. This is the reason that I asked here.

Can you share your setup from cloudfare tunnel and UTM nat rules???

Would you like to connect to my system to see my setup?

Hi Patrick,
i think the most network admins knows CG-NAT. (for the others: search for  "Carrier-grade NAT" .. or short: a lot of devices/customers are connected using private IP's to the ISP and the ISP NATed them behind only some public IP's)

If you check your own IP while "surfing", do you see your own public IP configured at the Firewall?

Dirkkotte  Yes I have public IP from vps host ....but I cannot access via WAN to webadmin  https://hostname:4444

Why?

In my place is difficult to find someone to know CG-NAT and how to setup in sophos. 

Finally I already with success the setup to bypass CG-NAT  but as I said I cannot access via wan to webadmin.

Please help me. Michael X already did it , but I still waiting his setup.

To be sure you really use the VPN-Publc-IP construct ... check your used IP (myip.dk)
next, tracert to your public IP and compare the path if really VPN is used (you may send private details using PM).

Are you able to ping your public IP from internet?

Check live-log for incomming webadmin connections ...

PS: from which IP do you allow webadmin-access?

1.I checked at myop.dk. It is from vps that I created.

2.I tracert my public ip that show from myip.dk .( I sent it in PM)

3. Yes I am able ti ping my public IP

4. I use https://hostname:4444 (hostname from ddns - noip)

I have been enable ICMP to show the pings

Please look at the logs ...When I try to connect from to dynddns_hostname:4444

Where is 192.168.10.4 located? Can't be a public (WAN) IP.

And if you try to access a Firewall-IP:4444 you should not see "default DROP"

192.168.10.4 is my laptop that I try to connect to webadmin via WAN https://your.DynDNS.hostname:4444 .

Dirk If try from firefox to connect https://your.DynDNS.hostname    without port 4444 I am able to connect to user portal but I am not able with 4444 at the end.

I am able to connect user portal then I log in with my user name.

What happens wrong?

The pic above suggests you're trying to connect to your public ip while behind the lan (utm lan?).

You _can't__ connect to your public ip from the lan side of utm without doing additional steps (ie hairpin nat).

You should be testing using an completely separate connection - ie connect your pc to your phone's hotspot, then try connecting to https://your.dyndns.hostname:4444 .