[NEBULA] VPN between two NSG100 devices (both behind NAT)

MikyMikeMikyMike Member Posts: 11
edited June 2, 2020 4:40PM in Nebula Security Gateway
Hi All,

I have one NSG behind a cable modem, and one NSG behind a 4G modem. 

As I having trouble to find which NSG to blame for not connecting to each other I am trying first to connect from my mobile to the NSG, so I can check them separately, assuming that helps to find how to connect both NSGs to each other.

With help of this forum I got a VPN connection from my mobile to the NSG behind the cable modem:
Thanks Nebula_Jason!
So I guess the port forwarding and NAT traversal settings for that NSG are ok.

I did the same type site-to-site config for the NSG behind the 4G modem, and I opened the same ports (500, 4500) on the 4g modem as I did for the cable modem. However I can't connect from my mobile to that NSG. I don't understand why there is a difference. I suspect this is related to not being able to get a VPN setup between both NSG's.

From the NSG behind the 4g modem in the NSG event log I don't see attempts to connect from mobile, so maybe it is related to IPv6, or something else different in that situation.

Any tips on what settings to check, or config changes to make?


Accepted Solution

  • MikyMikeMikyMike Member Posts: 11
    Accepted Answer
    Hi all,

    I found it!

    For other newbie's like me, I overlooked several things probably logical for more the more experienced:
    * The event log of the NSG updates very slow, can take 5 mins to see new events (which made me assume to quickly something wasn't arriving/working)
    * The 4g modem switched IP during my tests which I didn't notice (I first wanted it to work before setting up ddns)
    * The menu of the 4g modem was confusing, I thought I had setup port forwarding on "LAN IP Filtering", but I had to do this under "Virtual Server"
    * During the many tests I had created an overlapping VLAN, and that (I guess, or something else) caused the VPN active state to switch to off, on the menu: Organization->VPN Members: the "Join member" buttons were turned off (which I am sure were on before)
    * Not sure if it mattered, but the rule I had created for the non-nebula device, as both the NSGs are behind a modem were not used, so I disabled them

    The original plan I had to connect my mobile first also to the NSG behind the 4g helped to see some of the mistakes, but funny enough I still cant do this, but I got the NSG's connected which was my goal :-) I hope it helps someone else!

    Nebula Moderator

All Replies

  • Nebula_JasonNebula_Jason Zyxel Official Agent Posts: 184  mod
    Hi @MikyMike

    I am glad to hear that you found the issue and resolved it.
    BTW, the event logs on NCC will be updated for around every 3 minutes.

    Thanks for your detail information you shared.
  • MikyMikeMikyMike Member Posts: 11
    Hi @Zyxel_Jason ,

    Thanks for your guidance! I am new at this, so much appreciated!

    I am able to access a website from one site through the VPN on the other site, so I have the VPN working. Also on the VPN connection overview pages it says connected. However checking the Event log I see messages which seem to imply the connection isn't perfect yet. The messages I see:

    Phase 1 IKE SA process done
    Phase 2 proposal mismatch

    From what I found online this means the secret key isn't matching, or the protocols selected for the VPN don't match. I checked the secret on the Site-to-site VPN page, the L2TP settings page, and they are all matching. For the protocols I tried a few variations, but I got them all set to default again, as per the examples I found, they are all matching as far as I could see. All hardware have the latest firmware versions. I am not sure if I set the rule correctly for NAT traversal, on the site-to-site  I wasn't sure if I needed to use the external IP of it's own connection, or the external IP of the other NSG. Could this be it, or what other setting could be setup wrong?

    2nd question:
    I'm trying to setup a remote camera monitoring. I am able to access the NVR local website across the VPN, only the actual video stream, I think it's using RTSP protocol, is not working through the VPN. On the network which contains the NVR's local website I can see the live streams, but on the other network I can access that website on it's local IP behind the other NSG, so through the VPN but the video stream does work. I tested this with the same laptop, by switching which network it is part of, so I shouldn't be caused by the way I test it. Any tips which settings to check, or event log entries to watch for related to real time video streaming? (or is this potentially related to the VPN question above?)

    3rd question:
    I have dynamic DNS setup, and it works, only the timing of when it checks the IP changed takes several minutes, the DNS update takes some time, and also the NSG takes several minutes to see the DNS was updated, and the end result it that it takes too long for the IP change to happen, so the VPN breaks for about 15 or so mins, not a big disaster in my case, but I prefer to prevent this breaking of the VPN due to timing. What are the recommended timing frequencies for this?

  • Nebula_JasonNebula_Jason Zyxel Official Agent Posts: 184  mod
    Hi @MikyMike,

    Thanks for your detail information.

    For question 1 and 3, I will PM you to request the privilege of your organization to help you to check.
    Please help to check your Forum Inbox later.

    For question 2, from your previous description, since your both NSGs are behind NAT, I think you may need to configure port forwarding for port 554(RTSP) on your modem and may also need policy route for VPN traffic on your NSGs.

    Hope it helps.
  • MikyMikeMikyMike Member Posts: 11
    Hi @Zyxel_Jason

    It is so nice to get replies on my questions, it confirms my choice for Zyxel :-) It is nice to learn new things about networking (I have a Dev background). If you can and want to help check my settings you and the Zyxel team are welcome to it.

    1. I managed to get rid of the errors in the event log related to the vpn tunnel. I did this by sitting for both modems that the NSG behind it is in the DMZ. And I removed the non-nebula rule on the site-to-site VPN settings page.

    For the 4g modem (Huawei B525s-23a) I have the option to set it in bridge mode, but I'm a bit hesitant for it as I read that routers typically don't handle the mobile communication as good, but I'll further investigate this (and that getting it out of bridge mode can be difficult).
    For the cable modem I can't set it to bridge mode myself, I will contact my internet provider to ask them to do this, to simplify the setup.

    2. I haven't had the time to look further at this. I am hoping that having set the NSG's in the DMZ of the modems helps (as I understood that the DMZ setting makes all ports forwarded (including the 554 RTSP port), but I will check this, thanks for the suggestion!

    3. The issue with the timing of the DDNS updates also ties in with having the modems before the NSG's, as I can't use the DDNS setting of the NSG to update the DDNS record (I tried and it sets the local IP instead of the public IP). So I have that the 4g modem updates the DDNS, of which I can't influence the timing. For the cable modem the bridge mode will solve this, so I can set it in the NSG. For the 4g modem I'm doing more research to see if setting it in bridge mode doesn't adversely affect the communication related to the mobile specific protocols.

    Thanks for your support!
  • MikyMikeMikyMike Member Posts: 11
    Hi @Zyxel_Jason

    For the point 2, it is fixed, I managed to get a VPN connection to one of the NSGs and see the RTSP video stream :-). As I wrote I set the NSG in the DMS of the modem, so all ports are forwarded, including the 554 port for RTSP, so good advice :-)

    I have just one question at this time, is it a good idea to set the Huawei (B525s-23a) 4g modem in bridge mode?

    I can image/assume that most of the mobile protocols related to getting an IP will still be handled by the 4g modem, even when bridged, however if bridge mode lets some of the mobile communication reach the NSG router, will it be able to handle that situation well?

    The only inconvenience at the moment is that the updating of the IP with DDNS isn't timed well and causes short (+/- 15mins) break down of the VPN when the IP is updated (as this is now done by the 4g modem instead of the NSG). That isn't handy, but having to deal with a 4g modem and router getting confused could be more difficult. Or maybe I should just try and see if it works (as it isn't in production yet anyway).

    Curious for your point of view! Thanks once again for excellent support!

  • Nebula_JasonNebula_Jason Zyxel Official Agent Posts: 184  mod
    Hi @MikyMike,

    You may configure your 4G modem as bridge mode if you want.
    I have already tested that my NSG has public IP(PPPoE) and DDNS configuration(No-IP).
    When the public changes, it takes around 1~2 minutes to update the information on DDNS service provider.

    Hope it helps.
  • MikyMikeMikyMike Member Posts: 11
    Hi @Nebula_Jason

    For the cable modem the change for the modem to Bridge mode was smooth. Besides changing the modem I didn't have to change anything in the NSG for all to keep working.

    For the 4g modem the experience is different going to bridge mode. Initially on the Security Gateway page I saw this info:

    WAN1: (DHCP)
    Public IP: 62.xxx.xxx.107

    After setting the 4g modem in bridge mode I saw this:

    WAN1:100.xxx.xxx.51 (DHCP)
    DNS: 62.xxx.xxx.25 162.xxx.xxx.233
    Public IP:62.xxx.xxx.107

    And I lost all access to the 4g modem. I expected to loose access to some settings, maybe loose wifi, but there was no wifi and no access from external, which would have been unhandy but acceptable, but the goal of setting up DDNS didn't succeed as the gateway address wasn't the external IP (not sure why?) and in the DDNS settings of the NSG I could choose the WAN1 IP to use to update the DNS, but that didn't contain the right value. And even though the NSG knows what is the public IP I couldn't (or didn't understand) setup/choose to use that IP in the DDNS (just WAN1 or custom, but not sure how to use custom.

    Also I noticed the DDNS support the Huawei modem has was not working with No-IP (it does has it listed as possible DDNS service), a red square with no transfer appeared, with DynDNS it did work, only with the same behavior in using the 100.xxx.xxx.51 IP instead of its public IP.

    With a factory reset I put the 4g modem back in regular mode with the NSG in the DMZ of the modem. Any idea on how to improve on this?

    How I deal with the changing IP now: - the 4g modem/NSG will be at a remote location abroad, and with security camera's connected to it (no PCs/servers), fortunately the HikVision NVR has a cloud site in which I can see the new IP of the 4g modem when it changes, and I get an email from the NSG the VPN broke, so I manually copy-past the new IP in the DDNS. Not the end of the world, but this can't be the smartest setup.

    Curious for your advice or suggestions! And hope this does help someone else also new at this.

  • Nebula_JasonNebula_Jason Zyxel Official Agent Posts: 184  mod
    Hi @MikyMike,

    1. In my understanding, your 4G modem need to have the same subnet as NSG WAN IP to let the client under the NSG to access the 4G modem.
    2. From your description, it seems your NSG is still behind NAT when the 4G modem change to bridge mode because the WAN IP of NSG is still different from the public IP.

    Hope it helps.

  • MikyMikeMikyMike Member Posts: 11
    Hi @Nebula_Jason

    That makes sense, and would explain what I saw, and I did thought of this conceptually, but didn't understand how to do this. I looked at the interface addressing, and other settings, but I didn't see how to change that. I changed the setting of Networking mode from NAT to Router, but after that the NSG didn't communicate anymore (till I changed it back). It feels like this is a basic setting I forgot, but I don't see what I forgot to change (on which page). On which page should I do that?

    If this would be something to do on the 4g modem I wouldn't know how to do this, as that modem disables its radio when in bridge mode, and it will not have an internal way to access it or to configure it's settings, but now I have some idea what's involved to do this.

    I feel I asked a lot, and appreciate the support a lot, so I'll search the net further for this, thanks for pointing me in the right direction!

Sign In to comment.