Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOne NZ (including Farmside)APN change works in Hamilton, but not in Chch
cloudyweather

7 posts

Wannabe Geek
+1 received by user: 2


#307177 26-Sep-2023 13:06
Send private message

Hi

 

Changing the APN used on a Vodafone SIM to "internet" stops it from using NAT, and I can use it as a 4G backup for a firewall and establish a secondary aggregated IPSec tunnel to head office.

 

It works when tested in Hamilton, but when I tried it down in Christchurch, using the "internet" APN breaks the 4G connection.

 

Has anyone experienced similar and know of another APN that'd bypass NAT in Christchurch? 

 

I've asked out account manager to talk to the One system architects, but seeing how he seemed surprised that "internet" worked in Hamilton, I thought I'd ask here...

 

 

 

Cheers

Filter this topic showing only the reply marked as answer Create new topic
Linux
12178 posts

Uber Geek
+1 received by user: 8472

Trusted
Lifetime subscriber

  #3132102 26-Sep-2023 13:43
Send private message

I suspect only so many users can connect at a time using the ' internet ' APN I am not sure how big the IP pool is now for that APN



Spyware
3818 posts

Uber Geek
+1 received by user: 1366

Lifetime subscriber

  #3132105 26-Sep-2023 13:48
Send private message

If you have an account manager surely you have access to plans with a static IP.




Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

konfusd
215 posts

Master Geek
+1 received by user: 131

ID Verified
Trusted
Lifetime subscriber

  #3132111 26-Sep-2023 14:12
Send private message

‘internet’ is working as expected for me (near Rangiora). Another alternative that also doesn’t use CGNAT is ‘www.vodafone.net.nz’ - but I feel like they share IP pools so you may run into the same allocation issue (as per @Linux). YMMV, insert standard caveats about supported solutions etc.

Would definitely recommend looking at our Static IP capable plans however for this use case.




I volunteer my time on here, and all opinions expressed are my own and do not necessarily reflect those of my employer.



cloudyweather

7 posts

Wannabe Geek
+1 received by user: 2


  #3135716 28-Sep-2023 08:29
Send private message

We were already on a static IP. They forgot to tell us to use an APN specifically for their static customers. It's working with the new APN.

nztim
4012 posts

Uber Geek
+1 received by user: 2710

ID Verified
Trusted
TEAMnetwork
Subscriber

  #3135741 28-Sep-2023 09:49
Send private message

You only need a public IP at the responder end for IP Sec using IKEv2

Common scenario I do for redundant connections at the responder end is Chorus Fibre and HFC or Vital fibre each with a public ip

Branch offices (initiator end) can be behind CG-NAT




Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 

konfusd
215 posts

Master Geek
+1 received by user: 131

ID Verified
Trusted
Lifetime subscriber

  #3135743 28-Sep-2023 09:54
Send private message

cloudyweather:

We were already on a static IP. They forgot to tell us to use an APN specifically for their static customers. It's working with the new APN.



Oh yep, that would help.

If anyone else needs it, the APN to use with a static IP is “broadband.static” - however note that it also has to be provisioned on our end, it won’t work if you haven’t asked us to enable it.




I volunteer my time on here, and all opinions expressed are my own and do not necessarily reflect those of my employer.

 
 
 
 

Shop now on Samsung phones, tablets, TVs and more (affiliate link).
cloudyweather

7 posts

Wannabe Geek
+1 received by user: 2


  #3135754 28-Sep-2023 10:21
Send private message

nztim: You only need a public IP at the responder end for IP Sec using IKEv2

Common scenario I do for redundant connections at the responder end is Chorus Fibre and HFC or Vital fibre each with a public ip

Branch offices (initiator end) can be behind CG-NAT

 

 

 

Not if you want aggregated tunnels on Fortigates.

cloudyweather

7 posts

Wannabe Geek
+1 received by user: 2


#3135758 28-Sep-2023 10:26
Send private message

konfusd:
cloudyweather:

 

We were already on a static IP. They forgot to tell us to use an APN specifically for their static customers. It's working with the new APN.

 



Oh yep, that would help.

If anyone else needs it, the APN to use with a static IP is “broadband.static” - however note that it also has to be provisioned on our end, it won’t work if you haven’t asked us to enable it.

 

 

 

I wasn't sure if you guys would appreciate me broadcasting the APN 🤐

nztim
4012 posts

Uber Geek
+1 received by user: 2710

ID Verified
Trusted
TEAMnetwork
Subscriber

  #3135977 28-Sep-2023 15:23
Send private message

cloudyweather:

 

nztim: You only need a public IP at the responder end for IP Sec using IKEv2

Common scenario I do for redundant connections at the responder end is Chorus Fibre and HFC or Vital fibre each with a public ip

Branch offices (initiator end) can be behind CG-NAT

 

 

 

Not if you want aggregated tunnels on Fortigates.

 

 

Not true, you have 2x IPSEC tunnels between the FortiGate of which the initiator end can be behind a dynamic/ip CG-NAT and the responder end with a Public IP

 

The only time you need a public ip on the 4g is if one end acting as a responder (aka fibre to fibre and 4g to 4g) in which case only one 4g connection would need a public IP

 

Then you just setup IPSEC aggregation in the FortiGate as normal

 

 

 

 




Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 

cloudyweather

7 posts

Wannabe Geek
+1 received by user: 2


  #3137550 2-Oct-2023 08:20
Send private message

nztim:

 

cloudyweather:

 

Not if you want aggregated tunnels on Fortigates.

 

 

Not true, you have 2x IPSEC tunnels between the FortiGate of which the initiator end can be behind a dynamic/ip CG-NAT and the responder end with a Public IP

 

The only time you need a public ip on the 4g is if one end acting as a responder (aka fibre to fibre and 4g to 4g) in which case only one 4g connection would need a public IP

 

Then you just setup IPSEC aggregation in the FortiGate as normal

 

 

 

 

If the site is behind CGNAT then DDNS doesn't work for tunnels - DDNS registers with the interface IP, but the tunnel is seen coming from the NAT address at the other end. 

 

"dial-up" IPSec tunnels can't join aggregates - set type dynamic and set aggregate-member enable are mutually exclusive phase1-interface commands.

Filter this topic showing only the reply marked as answer Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright