ATP100 hinter Router - WAN IP einstellen

DaNetworks
DaNetworks Posts: 7  Freshman Member
First Comment Third Anniversary
edited September 2022 in Nebula
Hallo,
ich hab die FW hinter einer Fritzbox (Cable) hängen.
die WAN IP ist somit eine lokale IP der Fritzbox
der Anschluss hat jedoch eine Feste IP, wie kann ich Nebula diese IP als WAN IP -> für die VPN Config-> Side to Side VPN etc hinterlegen.
der Domänenname "nebula-XYZ" liefert natürlich auch nur die lokale IP zurück

hat schon jemand das Problem gelöst?

_____________________

I have the FW conceded to a Fritzbox (Cable).
the WAN IP ->P2  is a local IP of the Fritzbox 192.168.0.xx
the service Provider provides a fix IP address 37.xx.xx.xx , how can I Nebula store this IP as a WAN IP -> for the VPN Config -> Side to Side VPN etc.
the domain name "nebula-XYZ" of course only returns the local IP

has anyone solved the problem yet?

All Replies

  • DaNetworks
    DaNetworks Posts: 7  Freshman Member
    First Comment Third Anniversary
    ich habe eben gesehen,
    auf der Übersichtsseite sind sogar beide IPs zu sehen, die Reale WAN und die Fritzbox Adresse.
    also in Nebula sind beide bekannt, nur wie kommt diese an die richtige Stelle

    ____________________________-
    I lockt around in NCC and I found on the overview both IPs, the real WAN IP and the internal Fritzbox IP
    But how get I the real WAN IP in all configurations where the WAN IP is needed?
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Tough answer to give...
    Any device might or might not be aware of the public ip address, depends on the feature of the device AND TCP/IP Stack (v4 and v6) don't really care of the public address to work as intended.

    Even the WAN ip address of the ATP100 might be a private ip for correct interoperate with border devices/CPE. Or if public, cannot be considered the correct IP address for receive communications.
    Depends on the router/CPE in front of the router/firewall
    Depends on the ISP configurations and behavior

    So... it's a job for sentient and informed human beings find that information. NCC is one of the way for get that info, but not the only one.
  • DaNetworks
    DaNetworks Posts: 7  Freshman Member
    First Comment Third Anniversary
    edited September 2022
    The problem I would solve is,
    if I will use the automatic vpn configuration the nebula Dynamic dns Domain Name points to the internal IP

    yes I can change it manually… but I think there must be a smarter way 

    and the router is correct configured, so the atp is exposed host and can handle all incoming traffic 

    if I change the config file all works fine 

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    What goes after these are personal experience ed opinion...
    VPN endpoints with a dynamic IP are not the most reliable and easy to use, mostly due to caching of the DNS value. 
    You can still use Dynamic DNS services for catch-up the correct endpoint, but not all VPN services allow to use that change of config.
    L2TP moreover has the issue of need to know the public ip address, better into object.
    Therefore... maybe a zysh script can help you for update that object?
  • DaNetworks
    DaNetworks Posts: 7  Freshman Member
    First Comment Third Anniversary
    You’re right
    But nebula don’t have the option to refer to the static ip 
    this would be my favorite 

     the nebula dyn dns points always to the static ip
    Also it’s not important if I use the static IP or the nebula dns

    how I said, the static IP would be my favorite 

    i don’t have any experience with zysh scipt

    I will look around for information 
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Static public IP IMVHO is not a "problem" of NCC, but of your ISP...
  • DaNetworks
    DaNetworks Posts: 7  Freshman Member
    First Comment Third Anniversary
    It’s not correct 

    to be clear

    the ISP providing the Internet via cable tv 
    So I can’t connect the atp direct 
    it have to be through the Fritzbox cable

    Internet -> Fritzbox with ststic IP -> exposed host atp with Lokal Fritzbox IP

    Whiteout nebula
    i created a WAN Object  and gave the fix ip 

    And I could use this object to bind it to the vpn setting 



  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited September 2022
    As far as i can understand, Fritzbox is currently your CPE, Customer Premises Equipment: a device provided by your ISP for allow you to use the services (internet, CableTV, even telephone calls).
    However, the public ip address is provided by the ISP; So the WAN interface of your Fritzbox has a public (and/or private, more on that later) IP address is managed from your provider.
    The LAN interface of your Fritzbox should be the gateway of the WAN interface of your ATP100.

    Why i wrote "public and/or private ip address"?
    Due to costrain on IPv4 addresses availability, many ISPs often use Carrier Grade Nat (CGN/CGNAT https://en.wikipedia.org/wiki/Carrier-grade_NAT) for use few public ip addresses for a lot of consumer connections. In Italy, Iliad S.A. (french provider operating) allows only 32k ports and take advantage of MAP-E protocol.
    https://www.juniper.net/documentation/us/en/software/junos/interfaces-next-gen-services/topics/topic-map/usf-map-tm.html
    So actually the IP address of the WAN port of the CPE could also be a public address, but even an address of the network infastructure of the provider, and the corresponding public ip address is managed completely by the ISP. If you like/need a static IP Address, you may need to ask to your ISP (not always for free...).
    However...
    As far as I can tell, you may be a German/germany living person. And as far as I know, the IPvdeployment on public networks started quite earlier in germany.
    And now more than 50% of the providers actively support IPv6 
    https://ipv6-test.com/stats/country/DE
    (Italy is still lacking... https://ipv6-test.com/stats/country/IT)

    Therefore, maybe you can have a public static IPv6 address instead of a IPv4 one.
    For instance, www.google.com is solved in 
    2a00:1450:4002:411::2004 (IPv6)
              142.251.209.36 (IPv4)
    from the connection I'm using now.

    ATP100 should manage IPv6... but i don't know how deep and how well.
    (the "guru member" badge is due only to an high post number... don't consider me as a network and or zyxel guro at all!!! :-) )
  • DaNetworks
    DaNetworks Posts: 7  Freshman Member
    First Comment Third Anniversary
    Sorry 
    i think I was imprecise 

    yes Germany 

    Yes CPE but - no it’s a business Contract
     
    there are not many devices which can handle the cable Internet connection 

    i booked and get a static IP v4 from ISP
    To be correct 4 but I still can use 2

    i think I’m not the only one who have use the atp behind a external router 

    all other things are clear and not  changeable. 

    I need the public IP refers to the real public IP not to the WAN port IP
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @DaNetworks
    If Fritzbox support bridge mode, then ATP100 could configure public IP address.
    After enabling bridge mode on Fritzbox, it may stop offer DHCP IP address anymore.

    If Fritzbox doesn't support bridge mode(NAT mode), ATP100 still could establish site to site VPN tunnel behind NAT route. You have to add port forwarding rules on Fritzbox to handle VPN traffic.

Nebula Tips & Tricks