Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule
-
@morgenstern
So what is the sense of forwarding it? That doesn't it even more secure.
Simply allow access to the WAN from the certain source IPs. -
@viragomann I originally copied that approach from a contractor that had set it up that way for us a few years back. I never thought to try and simplify it when it worked... :)
-
@morgenstern If it's a consumer grade account I could definitely see them blocking server connections. If it's CGNAT (100.64.0.0/10 subnet) like Starlink uses for IPv4 then it isn't going to work for any inbound connection...try IPv6 if they provide that.
Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
Upvote ๐ helpful posts! -
Deleted the NAT rule and just added this WAN rule instead but no joy
-
@steveits said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:
@morgenstern If it's a consumer grade account I could definitely see them blocking server connections. If it's CGNAT (100.64.0.0/10 subnet) like Starlink uses for IPv4 then it isn't going to work for any inbound connection...try IPv6 if they provide that.
I guess I may have to speak to them. How would I establish whether it's this CGNAT? Is it a common thing nowadays?
-
It's a /29 network by the way
-
-
@viragomann said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:
@morgenstern
https://en.wikipedia.org/wiki/Carrier-grade_NAThttps://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
Ah yeah, I see what you mean:
In April 2012, IANA allocated the block 100.64.0.0/10 (100.64.0.0 to 100.127.255.255, netmask 255.192.0.0) for use in carrier-grade NAT scenarios.
The public IP I got isn't in that range.
-
In April 2012, IANA allocated the block 100.64.0.0/10 (100.64.0.0 to 100.127.255.255, netmask 255.192.0.0) for use in carrier-grade NAT scenarios.
The public IP I got isn't in that range.
And also not a RFC 1918?
So check if the packets even arrive on your WAN. You can use Diagnostic > Packet Capture to investigate.
Do you have any other inbound connections?
-
@viragomann said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:
RFC 1918
Nope. It's 188.x.x.x/29
-
Okay, I got it!
So my simplified rule was too complex!
The source has to be any port from the trusted IP list to HTTPS port on the destination wan IP!
-
@morgenstern said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:
any
Ah yes the source port is normally random. Easy to read over in a screenshot.
