Hey everyone! I'm running into some confusion with our SonicWall setup, which currently only allows whitelisted public IP addresses due to some issues we've been facing. We have an intake form where users input their public IP, which they can find on various websites. This works well at home or in hotels, but I'm experiencing problems when users are connecting through AT&T Hotspot on both Android and iOS devices.
When a user tethers their laptop to the phone, the IP addresses seem to differ. The laptop shows an IP of x.y.209.6 while the phone gets x.y.209.39. But when the connection tries to reach our firewall, it shows yet another IP, x.y.212.2, which I caught while monitoring blocked packets. I suspect this has something to do with NAT, but I'm uncertain why it doesn't show the public IP on websites but does appear when trying to connect via SSLVPN. Is there a simple way for users to get this IP information through a script or something, instead of me having to check the firewall for each tethering attempt?
2 Answers
It sounds like you're dealing with CGNAT (Carrier-Grade NAT), which is common with mobile networks. They assign a range of IPs dynamically based on multiple factors like the user's location and routing. Because these IPs are often recycled, the IP your devices see can change frequently. It’s definitely a tricky setup for IP whitelisting! Letting go of strict IP-based access might be wise in 2025, especially when people use different networks or devices.
I hear you! IP whitelisting isn’t the best approach because CGNAT throws a wrench into that plan. You're right to be cautious with remote access via VPN when it relies on a fixed IP. Just make sure you have multi-factor authentication (MFA) enabled for added security, regardless of the VPN configuration. It's a pain, but it's worth it to protect your network!
Absolutely! I’m doing my best to keep it secure under tight budget constraints. Any suggestions on better solutions while managing 300 users?