Set up VPN Server to listen on Public Static IP rather than the dynamic PPOE IP
A next question I would like you to guide me is on the following scenario:
- We are provided a PPOE connection with dynamic IP (IP A/24) address on Interface X4 and a block of /29 IP (IP B) addresses by ISP (different range from the IP A);
- We set up VPN (L2TP-IKEV2) successfully for the NSA but it only listens on IP A, VPN connection to IP A from outside was successfully made.
- We want the VPN to listen on IP B by doing the following:
+ Create a virtual Interface on X4 with an IP (X9:V19 IP C) under the IP B range and successessfuly reach from out side with ping
+ Create rule for allowing internal connection to X4:V19
+ Create a NAT to forward all connections from X4:V19 to PPOE Interface (X4 IP IP A above)
But all failed to get VPN connected to the X4:V19.
Please help us with thanks.
Dang Dinh Ngoc - Vietnam
Hello Dang Dinh Ngoc:
If you are using the VPN or SSLVPN feature built into the firewall, you cannot use an alternate address for this. We terminate on the firewall's own interface IP address for these functions. I am searching previously submitted enhancement requests for this behavior, or allowing termination on other public IPs associated with an interface, such as your PPPoE WAN. I will update you with news on this if I find any.2
@paulsteigel Hello ! could you provide a sketch or drawing with this question? I don´t really understand.
But if you like to have an vpn tunnel on an dynamic IP Port. Could it be possible to start vpn connection from this side? Than the dynanic IP does not matter.
Please see the drawing herewith:
In Linux, I can do port forwarding but with SonicWall, I thought NAT can do but it is not.
@paulsteigel sorry I do not understand the mix of PPPoE and Public IPs. Are we talking about two different lines?
If yes ? Why not connect the public ip range to an unused interface. Then it should be possible to adress the public ip directly from WAN and bind a VPN to it.
Thank THK for being patient to get through my case.
sorry I do not understand the mix of PPPoE and Public IPs. Are we talking about two different lines?
There is a type of service that ISP provides a block of static public IP for customer via their FTTH connection (PPOE with dynamic IP). In our case they provided 8 IPs (/29) over the PPOE connection (use X4 port on SonicWall).
So simply, those 8 IP can only be accessed if PPOE is connected and you can not bind such IP to other port. That is a problem if we want to install VPN as VPN will alway be attached to the PPOE interface and its dynamic IP. What we want is to have VPN on Sonic Wall to use 1 of the provided public IP.
I tried to created a virtual interface over the X4 line and it can be pingable from outside but have no idea to make that interface attached to the built in VPN service on Sonicwall.
In Linux, this can be done quite easy with port-forwarding on Firewalld or Iptables.
I've been through this one before... Sonicwall doing PPPoE, obtains a dynamic address from the likes of BT, who then route your static addresses to the sonicwall, meaning you have to create a policy to say that LAN to WAN has to go out using one of the Static addresses, otherwise, it will always report the dynamic address that's assigned to the interface. It's a bit of a nightmare.
The only way I could get that to work in the past, was to install a basic router in front of the Sonicwall to handle the PPPoE connection and passing of all traffic to the Sonicwall... then set its interface as one of the Statics.
I think what's happening is the VPN request comes in to your static, but is responded to on the Dynamic. Nothing I could do at the time would fix it other than using a seperate router to handle the connection itself. Support couldn't do anything either... this was a year or two back, so things might have changed since then. I would say it could be done, but would need a good level of packet capturing to see exactly what way things were working.
Your other alternative, is to use one of the Dynamic DNS systems... and set up your firewall to communicate to it... then have your users hit the FQDN rather than your IP, as its IP address would be updated any time your dynamic address changed.
That was what I did (as your have explained before). The reason that I want to ask here is seeing some responses from SonicWall so that we can learn a bit more, but finally, only those who in community like you and other shared hands.
In fact, before making this topic, what I have done was:
Option 1: Make a server inside to host VPN with SonicWall Nat (on some port open): So VPN is working via 1 of the public IP. Since SonicWall is a dedicated hardware so I like it to run VPN rather wasting a slot behind the firewall to run just a VPN. I came up the 2nd option:
Option 2: Run DynDNS on SonicWall and have VPN connected through that dyndns address. However, DynDns on SonicWall is a paid services (both Dyndns and NoIP), so I came by the 3rd Option:
Option 3: Request ISP to make the PPOE IP to be fixed at one IP>> they finally accepted as we are a Local Government Office. And Now we are happy with this Option.
We do not want to have a real router to handle PPOE connection as: We might have to seek budget for purchasing a Cisco or so, this process would take age to go through;
But, in my logical thinking, I still believe, there is still a way to do this on the SonicWall (in Linux, we have port forwarding function, why with this professional hardware, it is so hard to do so). so I will still keep trying to learn a bit more on routing and policy. And this would be a nice exercise for us all to try then.
Thanks for sharing with me then!
To give a bit thought, I also share the things as you but in following sequenes:
Hi Paul, You could try setting the VLAN in the DMZ zone and Use Routed Mode in the Advanced tab/Expert Mode Settings on the Interface (route via X1 Interface), I don't think it will work, but it isn't using NAT then, then set up the Rules for WAN-DMZ like the WAN-WAN ones for the IKE also add the NAT policies for IKE like the ones for X1 but for the DMZ IP, then on the Site to Site VPN policy in advanced set the VPN Policy bound to: X4:V19 IP
I will keep trying some logic and share the result progressively.
All the best
Thank JOHN_LASERSOHN for your clarification. This is why I kept trying to figure out as I saw package connection dropped by the Firewall why trying to connect via the alternative public ip. It said that the packet was drop due to no policy defined
I am trying to define one but it also failed!
So, Let's hope for it!