Metro Cell problem with Balance 30


#1

I have a customer whose sonicwall we have just replaced with a Balance 30 for the cellular backup. Because the customer has a tin box for a building, they have a cell phone repeater called a Metro Cell from AT&T. After we put the firewall in, the Metrocell would not connect to AT&T servers (it does so via the network and then the device broadcasts a cell signal). I have configured in the firewall for the device to allow any for incoming and outgoing as well as entered to allow communications for the specific servers to allow anything coming in, and yet the thing will not come up.

The customer is Benzie Bus and I have remote support turned on. The internal IP of the Metro Cell is 192.168.50.132. Any help would be appreciated.


#2

Note that I also forwarded the appropriate ports as well as the protocols.


#3

The Metro Cell creates an IPSEC tunnel back to the AT&T mobility network. I suspect the Balance 30 is getting in the way of that since PepVPN uses port 4500

Here are some things to try:

  1. Make sure IPsec NAT-T is enabled (Network | Service Passthrough)
  2. If you’re using PepVPN change the data port away from 4500

The Metro Cell will use Ports: 123, 500, 4500 (UDP) & 443 TCP


#4

Thanks for your response. NAT-T is enabled.
I am not using PepVPN but how do you change it?


#5

Do I need to define custom ports or define Site-to-site VPN?


#6

No need if you’re not using it.

How many WAN connections do you have? Is there a public IP on the WAN of the Balance or is there a NAT router between it and the internet?


#7

There are two WAN connections. A Cable Internet one and a Cellular backup (the Metro Cell is not allowed on the cellular backup via my Outgoing Rules config, only the Voice VLAN is).

There is no NAT router between the Internet and the PepLink. It is on a public IP.


#8

What about enabling UPNP and or NAT-PMP. Should I get rid of the firewall rules?


#9

You could enable them to see if it helps. I would likely factory reset and start again. By all accounts, you don’t need any special rules on the firewall - just IPSEC passthrough enabled. The Metro Cell creates a outbound IPSEC tunnel as far as I can work out - by default all outbound sessions are allowed.

I think I would diagnose this by powering off the metro cell, start a network capture on the balance, power on the metro-cell wait for it to fail then stop the capture and dig through it to see what traffic was sent by it that didn’t make it through the router from LAN to WAN (and back again).