WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Question regarding routing to access RUT240 LAN via mobile WAN connection

0 votes
1,191 views 2 comments
by

Hello,

I’m currently testing to use RUT240s as gateways to remote support our machines at our customers.

I’m using a SIM card from WhereverSIM. The provider has a portal for managing the various SIM cards. I can create an endpoint for each SIM and assign an IP. This IP is then bridged automatically to the public IP which is assigned to the mobile WAN interface of the RUT240 by the provider. I do not know how exactly that works but it does automatically. In any case, this works so far and I can ping the IP of the endpoint, as long as the RUT240 is logged into the mobile network.

So far, so good.

But now I have the problem that I do not get along with the routing functions on the RUT240.

My scenario looks like that: I really like to use the LAN of the RUT240 with DHCP server (so it does not matter which devices I connect because I do not always know that in advance).

However, I need a transparent bridged connection between the IP of the endpoint (see above) and the whole subnet, in which the RUT on the LAN side via DHCP assigns the IPs. I really need it fully transparant: all ports, in both directions.

Usual bridge mode or passthrough does not help, since I do not have a single (and fixed) device connected to the RUT. 

How can I achieve correct routing?

Greetings & thanks in advance,

Christian

2 Answers

0 votes
by
Hi

If I understand you correctly, you want to connect to a number of devices on the LAN, from the WAN, using just a single WAN IP address? To do that, you would need to use Inbound Port Address Translation; somehow make the router act as a "reverse telnet" server (although it might not be telnet). You would need to say:

   xxx.xxx.xxx.xxx:5001 -> Client #1

   xxx.xxx.xxx.xxx:5002 -> Client #2

   etc

I don't know if that can be done on the RUT (I'm new to them myself) but your other challenge is you'd have to know the client's address, otherwise if you have a /24 LAN with 253 possible clients, you would need to map 253 TCP ports but you'd never know which client you would connect to, given a particular port.

Perhaps if you reserve IPs to specified MAC addresses on the DHCP server you could map the public port to the known inside device?

Ideally, for inbound connections, you'd have a 1:1 IP mapping, but you must know the inside address of the device you're interested in otherwise it's a bit random.

Kev
0 votes
by

Hi Kev,

thank you for your answer.

To clarify things: My colleagues have special software’s installed at their Laptops (especially there is our software development system). We built machines that are programmed by our software engineers. In every machine we have always a real-time PC for controlling and sometimes there are also some more different devices which can be configured via Ethernet. For programming or remote support we would need to connect the Laptop to the Network which is inside the machine (as said, at least one PC, can be fixed IP but can also receive the IP by DHCP). The problem is: Our machines are spread all over Europe and some customers can’t provide a VPN connection. I need full transparent connection to the different IPs (with all ports routed, not only access to a web interface or something). We would like to change our old Sophos system that we use for VPN connection to a new one using the RUD240 and the Wherever SIM mobile connections.

 

I don’t want to use this single IP which is routed by the provider > I need to connect directly to the IPs in the LAN of the RUD.

 

I think an example would be good:

 

  • ·         The real-time PC in one of our machines is connected to the LAN of the RUD240 and has the local IP 10.0.24.100 (only as an example).
  • ·         The RUD240 is connected to the internet via LTE and our provider (Wherever SIM) has assigned the IP 100.112.168.2 to this endpoint.
  • ·         I can connect one of the developers Laptops to the Wherever SIM Portal via Open-VPN. There I get a IP from the portal. E.g. 10.80.125.221. In any case a totally different IP range.
  • ·         But when I’m connected I can ping the IP 100.112.168.2. This is routed by the provider automatically. I don’t know how exactly. But after establishing the VPN connection I can ping it (and when I disconnect the RUD240 the ping stops > so it should work).   
  • ·         But I do not need to connect the 100.112.168.2. Instead I need to connect to 10.0.24.100 (the real-time PC). This must be done inside the RUD240 with a special routing set-up. My problem is, that I don’t know how to do this.

 

 

Regards,

Christian

by anonymous

Hi Christian

In that case, the VPN should work for you. As I say, I'm new to the RUT (I don't even own one yet!) but from a networking point of view, you will need:

  1. The PC 10.0.24.100 should have a default gateway of the RUT. Or if its default gateway is somewhere else, that device (switch / router) should have a route to 10.80.125.0/24 (i.e. the VPN client subnet) via the RUT
  2. Consider this - if the PC's default gateway is not the RUT and the firewall on the RUT is stateful, that may break the traffic flow because you would have VPN - RUT - PC - router - RUT, and the RUT may reject that. In that case, you may need a specific static persistent route on each internal PC, but this is only if the LAN routing is not simple
  3. The Local Encryption Domain of the VPN should be 10.0.24.0/24
  4. It will be better if NAT is disabled on the VPN - you want to see the real IP addresses coming out of the tunnel
  5. The firewall on the RUT must have rules which say
  6.       permit all IP from 10.0.24.0/24 to 10.80.125.0/24
  7.       permit all IP from 10.80.125.0/24 to 10.0.24.0/24
  8.       You may have to specifically allow ICMP echo-request and echo-reply packets across the VPN if you want to ping; ICMP is a funny protocol which isn't quite IP... Some routers will include it if you allow all IP, but some will only include TCP and UDP
I hope that helps guide you. Sorry I can't be more specific, but I'm only just starting my journey with this product myself :)
Regards
Kev
by
Hi Christian

Did you get this working in the end? I am having the same issue with an RUT950. It's almost as if the RUT's firewall is blocking all traffic between LTE and LAN.

LAN-side works fine by itself, and I can tunnel (OpenVPN) to the RUT device just fine. I now need to connect to the LAN remotely but no joy. Firewall is wide open.