Frage
Antwort
Lösung
am 26.09.2020 21:05
So first of all sorry that i write in english, my german is not the best.
I made a contract (Vodafone CableMax 1000 with Arris TG3442DE HGW) a few days ago swiched from Telekom. Its working fine, but today moring i realised that i got CGNAT on ISP side. Previously i had a dynamic IPv4 address assigned to WAN.
The IPv4 address is mandatory for me and i didnt see any related information about that in the contract.
Im working for a banking company from home currently and if I use the company VPN from home, it can be a serious security issue on our side because in this case the whole network behind the NAT allowed on our firewall (Since i dont have a uniq IPv4) via the port knocking mechanism.
So my question is, is it possible me to get out from CGNAT?
I dont want to change to business account, just because this. If its not possible i have to switch back to the my Telekom contract.
am 27.09.2020 01:54
By signing the contract, you agreed that your line will use CGNAT.
Anyhow I don't really understand (and I think you have no plan at all) why CGNAT imposes a security risk to your companies network. As all the traffic in the VPN is encrypted, nobody else than you is able to decrypt the traffic and thus the use of CGNAT doesn't impose any security risks to the VPN connection. Same applies in case you'd connect from a mobile network - there it's also common that the providers use CGNAT and not public IP addresses for the devices registered in the network.
Even with your Telekom contract, your company would have needed to enable all of the public IP ranges of Telekom in order to allow you to set up a connection - as it is not said that you always will stay at the same IP address - as Telekom doesn't offer static IP addresses for end customers.
And by the way: If the VPN is correctly set up, you don't need any open ports or "punchend holes" in the firewall on your side - as all your traffic is outgoing traffic and thus the NAT does not need to open any ports for incoming traffic (despite the one that is bound to the outgoing connection - but that's standard).
For your company, it is absolutely no difference between allowing the CGNAT servers from Vodafone -or- all public IP addresses from Telekom - as you don't have static IPs in either case and thus may appear from any possible IP addresses from the customer range of your ISP.
And the only way to get a static IPv4 - which seems to be what you want in case your companies firewall will be exclusively opened for just this only IPv4 address and not whole ranges (needed for dynamic IPv4s of Telekom customer contracts) - is to switch to a Business contract. Same also applies to the Telekom - there you also only get a static IPv4 in case you subscribe to a business contract.
am 27.09.2020 13:34
The default policy is deny on the vpn firewall. So if you want to connet to VPN, you have to use portknocking to open the VPN port and allow you to connect (After you connected the port remains open until you disconnect). Otherwise the port seems closed.
Now if I open the port on the firewall, its open not just me but everybody behind the single public address.
I understand that is a really small chance to get attacked by this issue, but this is not my policy but my comany.
am 27.09.2020 14:38
This policy is total bull*** and does NOT generate any additional security as you still need to have a special dedicated open port for the "port knocking service" in order to be able to use that port knocking technique. And as this service needs to be opened up to the public, it just imposes an additional risk vector for attackers (as this port knocking service is another weak point in the design) whereas it does not add any kind of additional security (due to the fact that authentication for the VPN is only based on the VPN side, thus the port knocking service cannot authenticate you in the begin - or you'd face the same security concerns there).
Anyhow - if your company has problems with a CGNAT service, then they should either provide you with a dedicated connection (and there are services to do so without facing the Internet at all) -or- should pay for the additional fees that you have to bear for a business connection.
By the way: The same "problems" are imposed on mobile connections - they also use CGNAT services. And the usage of CGNAT will increase as the pool of IPv4 addresses is exhausted - since 2011(!). So providers will have to use CGNAT for IPv4 connections in the future on a much wider scale.
And another thing to mention:
If the VPN would support IPv6, you would not have any problems - as you have a public IPv6 connection without CGNAT.
am 28.09.2020 19:32
Hi K3rN3lP4N1C,
I have written you a PN.
Kind regards
Marco