Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Firewall WAN IP is seen differently externally?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Firewall WAN IP is seen differently externally? (Read 754 times)
mflammia
Newbie
Posts: 22
Karma: 0
Firewall WAN IP is seen differently externally?
«
on:
March 31, 2024, 11:54:07 pm »
Apologies in advance if this turns out to an obvious one, but currently baffling me.
The WAN interface on my firewall shows as 100.73.x.x, and when I look at the logs this is what also shows as itself. When I take PCAPs, this is also the same.
My Dynamic DNS though is reporting it as a completely different address 188.74.x.x. I may have thought this is an error, but I have a wireguard site to site VPN with another opnsense firewall, and it sees this end as 188.74.x.x as well?
I am trying to diagnose an issue where traffic doesn't seem to be reaching this firewall i.e. when looking as logs, pcaps and SSH'ing or HTTP'ing to 100.73.x.x its not showing up. I am currently working abroad and trying to get my wireguard VPN working, and for all testing I am doing it just doesn't look like its reaching the firewall.
It used to work, and have recently changed my ISP, so might be related? Just can't make sense why the firewall thinks its one IP address but other devices see it as something completely different?
In either case, using either IP, I can never seem to see traffic hitting the firewall I generate either in logs or PCAPs?
To me this seems illogical or not making sense, but hoping someone has an answer or something for me to try?
Logged
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 574
Re: Firewall WAN IP is seen differently externally?
«
Reply #1 on:
April 01, 2024, 12:28:11 am »
Your provider is using CGNAT. The WAN address of your OPNsense is NATed to a different one on egress. You cannot have publicly reachable services via IPv4.
If you get a globally unique IPv6 prefix in addition, you can use that to reach your system. This setup - CGNAT for IPv4 plus public IPv6 - is frequently called DS-Lite.
https://en.wikipedia.org/wiki/Carrier-grade_NAT
https://en.wikipedia.org/wiki/IPv6_transition_mechanism#Dual-Stack_Lite_(DS-Lite
)
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
mflammia
Newbie
Posts: 22
Karma: 0
Re: Firewall WAN IP is seen differently externally?
«
Reply #2 on:
April 01, 2024, 12:34:26 am »
Thank you for taking the time to answer, and clearing this up for me. I am also getting an IPV6 address, so will look into this.
Many thanks
Logged
Greg_E
Sr. Member
Posts: 342
Karma: 19
Re: Firewall WAN IP is seen differently externally?
«
Reply #3 on:
April 01, 2024, 03:59:05 pm »
Why would a company be using a publicly routed IP behind the CGnat?
I have a CGnat on my home service and it uses a private IP address for the clients behind the CGnat.
While nothing stops you from doing it the first way, it could certainly get in the way of DNS depending on the site you are trying to reach.
Logged
netnut
Sr. Member
Posts: 272
Karma: 33
Re: Firewall WAN IP is seen differently externally?
«
Reply #4 on:
April 01, 2024, 05:28:50 pm »
Quote from: Greg_E on April 01, 2024, 03:59:05 pm
Why would a company be using a publicly routed IP behind the CGnat?
The OP is assigned 100.73.x.x which is part of 100.64.0.0/10 which isn't publicly routed
https://www.rfc-editor.org/rfc/rfc6598
DNS shouldn't be a problem either
https://www.rfc-editor.org/rfc/rfc7793
Logged
Greg_E
Sr. Member
Posts: 342
Karma: 19
Re: Firewall WAN IP is seen differently externally?
«
Reply #5 on:
April 02, 2024, 03:25:39 pm »
Thanks. TMobile didn't get the memo.
I have a 192.168.x.x on my home internet service. Maybe they ran out of 100.64.x.x to hand out.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Firewall WAN IP is seen differently externally?