ISP changes
Hi all:
T10-W
12.5.B599856
My ISP, thankfully, came and installed Fiber. However, now there is a router in front of my firebox.
Prior, they had a Cable Modem there which issued IP to T10 External eth0. (DHCP)
No name on device new Fiber router, but looks like ones made by Calix, GigaCenter.
Outside IP on External on Router > Router IP: 192.168.1.1 > (DHCP) on T10 External and gets 192.168..50 from new router.
It would seem this is now drop-in and no longer Mixed?
All works except SSLVPN as I cannot seems to expose the outside IP of Router to the Firebox.
Any help appreciated and or Thoughts?
Cheers
0
Sign In to comment.
Comments
Since you are now getting a private IP addr on external instead of a public IP addr, you need to contact your ISP to see how you can get a public IP addr on external or how you can get all incoming ports forwarded to your firewall external interface.
I Have Frontier FiOS fiber and had the tech set it up on the ONT's Ethernet jack for using a standard CAT5E network patch cable vs. a coax connection. Once the tech was done, I disconnected their router and plugged the cable from the ONT directly into my WatchGuard's WAN interface and it gets the public IP via DHCP.
If you cannot do that, then look on the router for its login credentials, then log into it and find its firewall settings. Look for a DMZ setting. Add the WAN IP of your T10 to the DMZ and that will allow all traffic into your router.
On your T10, set up dynamic DNS and check the box to "Allow the dynamic DNS provider to determine the IP address" and it will pick up the ISP router's WAN IP to set in dynamic DNS provider so your VPN will work.
Gregg Hill
Managed to contact ISP, Fiber now in Bridge Mode. eth0 has external.
SSLVPN...no go.
eth0 is DHCP, but this has worked in the past even tho not supported and SSLVPN complains on "save", but it does and has been working.
keeps getting "cannot download config".
When I say NO however, it does make the connection, but pulling OLD information.
wrong external IP ( not even sure how or what it is connected to, not me.)
But it says it's connected to my old IP address from 6 months ago.
How can this even connect??
So,everything else is wrong and does not register as being Authenticated in WG Sys Mgr.
Uninstalled, reinstalled SSLVPN client , no change.
More thoughts and prayers?
Tks
Howard
ps: now that the fiber router is in bridge mode, there is zero support from ISP.
They no longer have access to the unit. Factory Reset is the only way back.
So I am now in limbo.
You can download the SSLVPN config file which should help:
Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_manual-distribution_c.html
You can can turn on diagnostic logging for SSLVPN which may show something to help:
In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> SSL
In the Web UI: System -> Diagnostic Log
Set the slider to Information or higher
You should see access attempts to your firewall external interface for the SSLVPN port that you have configured. The default is TCP port 443.
Also, if your external IP addr is now different, make sure that you change the SSLVPN setup to reflect the new IP addr prior to downloading the the SSLVPN config
And, you can manually edit the client.ovpn file, to change the IP addr to which you need to connect, which is in your AppData\Roaming\WatchGuard\Mobile VPN directory. It is just a text file.
Change the "remote" line to reflect the new IP addr.
Haaaa.
Got it.
One caveat with WG. When you do not use the correct length/complexity for password, it does not tell you same.
All U get is auth error, but no reason that I could find.
Figuring it was something with the password, and that was the culprit.
Anyway, a few pointers and all is well in the world again.
I do remember downloading the client tgz setup file once before, but was many years ago and had since slipped my mind. I did run that, but until I fixed my password, I wasn't going anywhere. Thanks for the refresher.
Thanks
Howard
My bad as well....
I "thought" it was connecting to an old IP, but what it was actually doing was connecting to the last know client I was connected with. Which was a few days ago. Caught me off guard and my OLD IP was very close to this other BIZ.
Slight of eye problem.
Sorry for the misdirection.
Howard
It only gets worse as we get older!
Gregg Hill