Community discussions

Member Candidate
Member Candidate
Topic Author
Posts: 224
Joined: Thu Apr 19, 2007 7:41 am

How to Bypass Double/Triple NAT Xplornet LTE Blocked Ports with CHR on AWS

Wed Nov 28, 2018 1:42 pm

I have an issue that I would like to solve. I am sure it is possible to be done, and I have tried, but I cant get my L2TP to connect. properly.

Office Lan needs VPN access, they have thier own router, Dell Sonic wall, this cannot be changed, it's LAN side is 192.168.1.x The WAN is assigned by DHCP a 192.168.209.x ip, gateway is 209.1.
This gateway is the LTE wireless on the roof owned by xplornet. This device has a Private Internal IP on the WAN side of 100. ?.?.? It is natted to a public IP address. Yes triple NAT Ouch.
They will, cannot open ports on the first NAT even though the public IP is 1:1 Nat per user, ie no one else uses it.

My solution was to run a CHR on AWS, have that installed and running.
I can either put a Mikrotik device physically on the LTE LAN side, or the LAN of the office, OR even run a CHR on a 2012 server in Hyper V.
My preference is to put it on the LAN of the LTE so that my solution only brings traffic external to the LAN of office. So that I do not have to worry about security as much on the CHR running on AWS, and to limit my exposure.

What I want to do is a SSTP tunnel, from the CHR, to the Mikrotik device on same LAN as the LTE, while not actually using the MT as a passthrough, I wanted to use one of the other ports on the Dell Sonic wall as a WAN side port too. So that the MT will pass the L2TP traffic into that port.The end user only has to secure thier one firewall.

Basically this traffic ( VPN via L2TP will get passed from the Amazon instance of the CHR, and pass it to the Mikrotik on site, and then pass that too the Dell Sonic wall. In Essence bypassing the ISP's multi nat scenario.( Without open ports )

I currently have the CHR on Amazon passing traffic it receives across a SSTP tunnel to another Mikrotik device, with the other router plugged into a ethernet port . So the traffic gets to where it is intended,but I get errors on the L2TP where it resends the packets.

I believe my issue is with sending the L2TP traffic back out the SSTP tunnel back to the AWS CHR and this is th reason the tunnel cannot be created, since when it gets back to the device ( Android phone) its coming back from a different IP address.

FYI, the Office side Mikrotik would make the outbound connection to the CHR on AWS,a nd be on 24/7, users would connect to the external AWS IP.

My other solution is to have the VPN user authenticate on the CHR l2tp server, and route traffic back to the LAN side, of the Dell Sonic wall, ie Office lan, but this I do not want to do, due to the security issue it poses.

I need it to work as flawless as possible, they do use Active Directory, and will require basic access for file shares on the server. One person will need to use remote desktop to a windows install on Hyper V

If you have any other ways to set this up to accomplish the same goal, I am open to ideas.

Its just that this method costs $8.00 USD a month vs the 500 Dollars for commercial account that has no NAT involved at all. May people have this issue with Xplornet on LTE and Satellite links.


Who is online

Users browsing this forum: No registered users and 11 guests