Problem Carrier Grade Nat workaround with Azure Server.

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
pierremartin
Posts: 1
Joined: Fri Aug 09, 2019 11:38 am

Problem Carrier Grade Nat workaround with Azure Server.

Post by pierremartin » Thu Sep 26, 2019 12:12 pm

I'm working on a solution for carrier grade NAT workaround.

New LTE wireless ISP can only offer carrier grade NAT (no public IP only a private IP is supplied to our routeur/firewall). We need to port forward certain ports for business purposes.

I have setup up a Azure Ubuntu Server VM which has a public IP. I have installed SoftEther server on the Ubuntu VM (vpn IP: 192.168.30.1) with a virtual hub /local bridge witch seems to be working. the client machine running SoftEther VPN client can connect to the vpn server and obtains a vpn IP adresse (192.168.30.200) and the ping works in both directions from vm to client and client to vm.

I have setup Iptables and DNSmasq (on the Ubuntu VM). i have opened port in the Azure control panel

I have setup static local ip the will be receiving the portforword
i've creted /etc/ethers with MAC address and IP of portforward destination

here is output of iptables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 192.168.30.0/24 anywhere state NEW
ACCEPT tcp -- anywhere 192.168.30.200 tcp dpt:5900

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 192.168.30.0/24 anywhere state NEW

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 192.168.30.0/24 anywhere state NEW

the problem is that the port forward does not work . should i setup a SoftEther server on lan side instead of client and create bridge.
Any help would be appreciated.

ozone
Posts: 65
Joined: Thu Sep 19, 2019 7:18 pm

Re: Problem Carrier Grade Nat workaround with Azure Server.

Post by ozone » Sat Sep 28, 2019 1:17 pm

Hi,

I like the idea of what you are trying to do.
It's actually something more and more of us are going to have to think about, now that providers prefer to sell global IPV4 addresses to high-paying business customers, rather than consumers and small-businesses.
I applaud people openly discussing this !

But, that said, this is actually kind of a "how does iptables work" question, not so much a "how does softether work" question.

Regardless, I looked at your iptables example, although I'm certainly no Iptables expert.
But based on what I know from cisco etc., I'll give it a go.

First, it seems to me that it is a VERY rudimentary ruleset. Be carefull !
Second, You seem to want to "forward" something (VNC?) with an "input" rule to an address NOT on the azure server. (should be in "forward" section I think)
Third, I miss some kind of dst-nat rule, that does the translation from WAN-ip to 192.168.30.200 for tcp5900.
(and also any src-nat (masquerade) rules for normal outgoing internet traffic over this vpn, or is this not required?)

This is based on what I know one needs to do on other platforms regarding a successful portforward.
As mentioned, I'm no iptables expert, but maybe it helps to point you in the right direction.

I hope this helps.

Post Reply