So, look at me, trying to configure VPN for days and failing. I feel like I should try doing something else with my life, but anyway…
I’m trying to configure “Mobile VPN via SSL” on my Watchguard T35 Firewall.
The network is pretty simple: ISP router in front of my firewall with local gateway of 192.168.1.1
I don’t have a static public address so I made a DDNS account. Using nslookup “name” gives me the same IP as on WhatsMyIP, so it should be working. I configured DDNS on my ISP router, and enabled DDNS on Watchguard aswell.
I turned off DMZ on my ISP router
I made port forward rules on my ISP router with WAN and LAN port being 442 because I don’t want to have any issues with HTTPS that is on 443. The destination IP is the local IP of my firewall - 10.11.0.1. I left the source IP blank.
On watchguard, I made users, added passwords for them, added them in SSL-VPN group and changed default SSL port from 443 to 442
I downloaded the SSL client and tried to connect. Its not working.
Where am I making a mistake? Any advice is helpfull because I’m more or less a newbie and I have been trying to make this work for days lmao.
Check traffic monitor, I had a customer that needed VPN setup. They were behind a satellite connection. There was a couple other ports that needed to be port forwarded. Unless you can do bridge mode on your ISP router.
I’m confused as to how your t35 is configured in wise. You say your gateway is 192.168.1.1, but your port forward rule is to 10.11.0.1 , which doesn’t sound right.
I don’t know the t35, but on the watchguards I do know, your vpn should set on your wan I/f, which I think should be on 192.168.1 network.
ETA there’s no reason not to use port 443 for this, and I’d leave it at default for simplicity, or at least until it’s working
Hey, and thank you for your reply. I really appreciate it.
I was reading about bridge mode, need to do some more reading about it. I guess I will try it tommorow…
I am basically a newbie in this and self learning so I am having difficulties understanding why is this not working. Maybe something with NAT/SNAT, I don’t even know anymore. I thought I did everything correctly.
Watchguard is confgured on 10.11.0.1. All other devices in the network are in that LAN.
My opinion on this and I thought that it would be normal to forward VPN requests from that router to the watchguard - basically do a port forwarding.
On my Tehnicolor ISP router I saw 443 is writen with “HTTPS” in brackets and I thought that it would be better to use port 442 for VPN (or any other, I don’t know why I choose 442)…I am not sure why I did that, but I thought that maybe my ISP has some rules for 443 and won’t allow me to use it for VPN.
The suggestion about bridged mode is probably correct, but have also seen some ISP block incoming traffic on VPN ports including 443 if you don’t have a static and a business account
As someone else mentioned open traffic monitor on the firewall so you can see traffic in real-time. If you see the VPN request on 443 coming in, then you know your Watchguard is seeing the request at least. If not then back to the ISP modem.
Question - why don’t you try it with the Watchguard in the ISP modem’s DMZ? Wouldn’t this remove any firewall or port blocking that the ISP modem is doing?
OK, it sounds like your forwarding is not correct. I would expect your forward rule to go a 192.168.1. address, which should be assigned to the WAN int of the WG. What IP does your WG WAN port have?
The issue I see with using port 442 for this is that the port is in the assigned range 1-1024. Best to use one outside that range in case it’s blocked somewhere. 8443 is a common one to use for SSL instead of the default 443.
Alright, I will see if I can do that. Also, looks like I can’t put my ISP router in a bridge mode, the only way to do it is to call my ISP support and ask them to do that…
OK, it sounds like your forwarding is not correct.
That is a possibility… WG WAN port is 192.168.1.1 - ISP router… I mean, maybe my logic is wrong, but the way I was thinking is: I am sending a VPN request that will first hit my ISP router and then I will forward it to my WG that will accept the connection (that was the logic and idea and I don’t know if I’m wrong here).
Some people also pointed out that I should put ISP router in a bridge mode…could you kindly tell me what is your opinion on that? I was going to try that aswell.
The issue I see with using port 442 for this is that the port is in the assigned range 1-1024. Best to use one outside that range in case it’s blocked somewhere. 8443 is a common one to use for SSL instead of the default 443.
Thanks for pointing that out. In the future I will pay more attention to it (I totally forgot about it, maybe its not a bad time to review my network+ and learn some ccna aswell).
I will try using higher number port in case lower ones are blocked.
Correct, your ISP will have to do that. If you don’t have a static public IP I would go ahead and do that as well. If you need anymore help with this you are welcome to message me directly.
Your logic is sound, I just don’t think you have things connected correctly to do it. I’m still confused about your WG IP TBH, what default gateway does it have?
I’m not sure about bridge mode, not all routers/ISPs will support it. Port forwarding just 443 (or whatever port) should work, I just think your ISP router doesn’t know how to route the connection.
I’m still confused about your WG IP TBH, what default gateway does it have?
Yeah…I probably confused you, because I’m having difficulties to learn this and I’m learning while doing it, so sorry about that.
This is what I get when I copy external interface info:
Zone: External
IP Address: 192.168.1.205
Gateway: 192.168.1.1
Netmask: 255.255.255.0
MAC: I left it on blank
Sent: 2,191,673 KB
Received: 46,444,359 KB
And this is “Trusted”:
Zone: Trusted
IP Address: 10.11.0.1
Netmask: 255.255.255.0
MAC: i left it on blank
Sent: 37,810,801
KBReceived: 2,414,253 KB
I’m not sure about bridge mode, not all routers/ISPs will support it. Port forwarding just 443 (or whatever port) should work, I just think your ISP router doesn’t know how to route the connection.
Yeah…I just called my ISP and they told me that they can change router mode to bridge, but I can’t do it with my privileges.
Ok, that makes sense now:-) Your port forward should be set to the external IP of your WG (192.168.1.205), not the internal one. I suspect it will work using port 443, entirely up to you if you change it.
If you then try a connection to the public IP of your router, this should connect you to your WG VPN. Bear in mind tho’ that if you do change the port, you will need to include that port in your url, e.g., https://1.2.3.4:8443/