WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUT240 OpenVPN routing or firewall issue

0 votes
1,205 views 1 comments
by anonymous

Hello Everyone,

I'm trying to setup an OpenVPN connection between a RUT240 and a router, in this case a PfSense.

The connection is fine, I can reach the remote network from the RUT and from the computer connected in the RUT:

Computer 192.168.10.20 -> RUT 192.168.10.1 -> OpenVPN tunnel 192.168.93.0 -> PfSense 192.168.2.1 -> Computers in the network

Working fine :)

The problem is that I need to be able to reach the computer 192.168.10.20 from the PfSense, and the other computers in 192.168.2.0/24 and obviously, the computer can't get a 192.168.93.x address as it is the tunnel address. So I need to be able to reach any 192.168.10.x address from 192.168.2.x

And for a reason I don't get, it doesn't work.

The RUT obtain the address 192.168.93.2 from the OpenVPN, which is setup with 192.168.93.0 network.

So I've created a temporary route on the PfSense:

route add -net 192.168.10.0/24 192.168.93.2

So the 192.168.10.0/24 is supposedly routed to the OpenVPN gateway and the IP of the RUT

Here is the route table of the PfSense

The routing table on the RUT

I also tried another route: route add -net 192.168.10.0/24 -iface ovpns2

But it didn't work either.

Status:

Ping from 192.168.2.1 to 192.168.93.2 OK

Ping from 192.168.2.1 to 192.168.10.1 Nope

Ping from 192.168.2.1 to 192.168.10.x (devices) Nope

Not sure if it is a routing issue, or a firewall issue ?

I tried a few things on the firewall, but it didn't work. So the config is the one by default provided with the device.

I found this post https://community.teltonika-networks.com/12603/openvpn-firewall and my tunnel is named this way:

firewall.@zone[2].device='tun_+'

I tried to rename it and restart, and it looks like even without the name update there is a few warnings:

root@device:~# /etc/init.d/firewall restart

Warning: Unable to locate ipset utility, disabling ipset support

Warning: Section @zone[1] (wan) cannot resolve device of network 'tun'

Warning: Section @zone[2] (vpn) cannot resolve device of network 'vpn'

Warning: Section 'l2tp_zone' cannot resolve device of network 'l2tp'

Warning: Section 'pptp_zone' cannot resolve device of network 'pptp'

Warning: Section 'gre_zone' cannot resolve device of network 'gre'

Warning: Option @rule[16]._name is unknown

Warning: Option @rule[17]._name is unknown

Warning: Option @rule[18]._name is unknown

 * Flushing IPv4 filter table

 * Flushing IPv4 nat table

 * Flushing IPv4 mangle table

 * Flushing IPv4 raw table

 * Flushing IPv6 filter table

 * Flushing IPv6 nat table

 * Flushing IPv6 mangle table

 * Flushing IPv6 raw table

 * Flushing conntrack table ...

 * Populating IPv4 filter table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

   * Rule 'Allow-DHCP-Renew'

   * Rule 'Allow-Ping'

   * Rule 'Allow-vpn-traffic'

   * Forward 'l2tp' -> 'lan'

   * Forward 'pptp' -> 'lan'

   * Forward 'gre' -> 'lan'

   * Forward 'hotspot' -> 'wan'

   * Forward 'vpn' -> 'lan'

   * Forward 'vpn' -> 'wan'

   * Forward 'wan' -> 'lan'

   * Forward 'wan' -> 'vpn'

 * Populating IPv4 nat table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

 * Populating IPv4 mangle table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

 * Populating IPv4 raw table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

 * Populating IPv6 filter table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

   * Rule 'Allow-vpn-traffic'

   * Rule 'Allow-DHCPv6'

   * Rule 'Allow-ICMPv6-Input'

   * Rule 'Allow-ICMPv6-Forward'

   * Forward 'l2tp' -> 'lan'

   * Forward 'pptp' -> 'lan'

   * Forward 'gre' -> 'lan'

   * Forward 'hotspot' -> 'wan'

   * Forward 'vpn' -> 'lan'

   * Forward 'vpn' -> 'wan'

   * Forward 'wan' -> 'lan'

   * Forward 'wan' -> 'vpn'

 * Populating IPv6 nat table

   * Zone 'lan'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'

   * Zone 'wan'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'

   * Zone 'vpn'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_vpn_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_vpn_rule'

   * Zone 'l2tp'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_l2tp_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_l2tp_rule'

   * Zone 'pptp'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_pptp_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_pptp_rule'

   * Zone 'gre'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_gre_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_gre_rule'

   * Zone 'hotspot'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_hotspot_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_hotspot_rule'

   * Zone 'sstp'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_sstp_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_sstp_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'

 * Populating IPv6 mangle table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

 * Populating IPv6 raw table

   * Zone 'lan'

   * Zone 'wan'

   * Zone 'vpn'

   * Zone 'l2tp'

   * Zone 'pptp'

   * Zone 'gre'

   * Zone 'hotspot'

   * Zone 'sstp'

 * Set tcp_ecn to off

 * Set tcp_syncookies to on

 * Set tcp_window_scaling to on

 * Running script '/etc/firewall.user'

 * Running script '/tmp/privoxy/firewall'

   ! Skipping due to path error: No such file or directory

 * Running script '/etc/logtrigger/fwblock_wrapper.sh'

 * Running script '/etc/add-firewall-rule.sh'

 * Running script '/etc/add-rs-rule.sh'

 * Running script '/etc/add-port-rule.sh'

iptables: No chain/target/match by that name.

iptables v1.4.21: Couldn't load target `zone_port_scan':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

iptables v1.4.21: Couldn't load target `zone_port_scan':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

iptables: No chain/target/match by that name.

iptables: Bad rule (does a matching rule exist in that chain?).

iptables: Bad rule (does a matching rule exist in that chain?).

iptables: Bad rule (does a matching rule exist in that chain?).

iptables: Bad rule (does a matching rule exist in that chain?).

iptables: Bad rule (does a matching rule exist in that chain?).

   ! Failed with exit code 1

 * Running script '/tmp/ipsec/firewall.sh'

   ! Skipping due to path error: No such file or directory

Any idea ?

Best regards

1 Answer

0 votes
by anonymous

Hello,

Could you also paste outputs of ifconfig command for both, Teltonika and pfSense devices?

Also, you can disable firewall temporarily on RUT device by executing command /etc/init.d/firewall stop. This way you can check if it is a firewall issue.

Also, please, enable tcpdump logging in RUT240 (System > Administration > Troubleshoot > Enable TCP dump > Save) start ping from pfsense to 192.168.10.20, let it run for a few minutes, download TCP dump file and send it to me via Private message

Best Regards

by anonymous

Hello, thanks for your help :)

ifconfig @ Teltonika

br-lan    Link encap:Ethernet  HWaddr 00:1E:42:24:A8:86  

          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0

          inet6 addr: fe80::21e:42ff:fe24:a886/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:6804 errors:0 dropped:5 overruns:0 frame:0

          TX packets:7410 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:946515 (924.3 KiB)  TX bytes:7254875 (6.9 MiB)

eth0      Link encap:Ethernet  HWaddr 00:1E:42:24:A8:86  

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          Interrupt:5 

eth1      Link encap:Ethernet  HWaddr 00:1E:42:24:A8:87  

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          Interrupt:4 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:65536  Metric:1

          RX packets:44 errors:0 dropped:0 overruns:0 frame:0

          TX packets:44 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:2891 (2.8 KiB)  TX bytes:2891 (2.8 KiB)

tun_c_SeloraSRV Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  

          inet addr:192.168.93.2  P-t-P:192.168.93.2  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:7224 errors:0 dropped:0 overruns:0 frame:0

          TX packets:6496 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100 

          RX bytes:7132618 (6.8 MiB)  TX bytes:907127 (885.8 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:1E:42:24:A8:88  

          inet6 addr: fe80::21e:42ff:fe24:a888/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:6802 errors:0 dropped:0 overruns:0 frame:0

          TX packets:7467 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:1041731 (1017.3 KiB)  TX bytes:7436413 (7.0 MiB)

wwan0     Link encap:Ethernet  HWaddr 82:0D:1E:34:45:96  

          inet addr:10.133.64.239  Bcast:10.133.64.255  Mask:255.255.255.224

          inet6 addr: fe80::800d:1eff:fe34:4596/64 Scope:Link

          UP BROADCAST RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:7392 errors:0 dropped:0 overruns:0 frame:0

          TX packets:6687 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:7530699 (7.1 MiB)  TX bytes:1260431 (1.2 MiB)

ifconfig @ PfSense

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>

ether 00:08:a2:0d:7a:bf

hwaddr 00:08:a2:0d:7a:bf

inet6 fe80::208:a2ff:fe0d:7abf%igb0 prefixlen 64 scopeid 0x1 

nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

media: Ethernet autoselect (100baseTX <full-duplex>)

status: active

igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>

ether 00:08:a2:0d:7a:c0

hwaddr 00:08:a2:0d:7a:c0

inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 

inet6 fe80::1:1%igb1 prefixlen 64 scopeid 0x2 

nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

media: Ethernet autoselect (100baseTX <full-duplex>)

status: active

enc0: flags=0<> metric 0 mtu 1536

nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

groups: enc 

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>

inet6 ::1 prefixlen 128 

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 

inet 127.0.0.1 netmask 0xff000000 

nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

groups: lo 

pflog0: flags=100<PROMISC> metric 0 mtu 33160

groups: pflog 

pfsync0: flags=0<> metric 0 mtu 1500

groups: pfsync 

syncpeer: 224.0.0.240 maxupd: 128 defer: on

syncok: 1

pppoe0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492

inet6 fe80::208:a2ff:fe0d:7ac0%pppoe0 prefixlen 64 scopeid 0x7 

inet 212.147.6.241 --> 212.147.11.52 netmask 0xffffffff 

nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

ovpns2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500

options=80000<LINKSTATE>

inet6 fe80::208:a2ff:fe0d:7abf%ovpns2 prefixlen 64 scopeid 0x8 

inet 192.168.93.1 --> 192.168.93.2 netmask 0xffffff00 

nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

groups: tun openvpn 

Opened by PID 88094

I've stopped the firewall service but I wasn't able to make a ping, because it tooked down Internet and so the VPN connection. I had to start it again to be able to access Internet + VPN.

I sent you the TCP Dump. The ping was done first to 10.20 and then 10.1 with the following route on the PfSense :

Best regards