5243 questions

6398 answers

10283 comments

6368 members

0 votes
146 views 10 comments
by
Hello,

My current use of RU950 is to be a Cellular access router.
It connects to an APN an gets internet access.
Then it connects by L2TP to our Bras and receives a public ip.
Default route is via the L2TP.

The LAN devices are connected via RJ45 ports.
I do port forwarding from L2TP to LAN, and NAT from LAN to L2TP.

So far so good.

I'd like to add a RJ45 connection through the WAN port.
I'd like to do a policy based route, if possible, from a specific host on LAN to the public WAN ip and NAT it inside to outside.
The rest of the older functionality should remain unchanged.

I am having a difficulty with this setup.
First of all, I'm unsure how to do a policy based route.
Secondly, the default route from L2TP should not be disturbed.
Thirdly, the wired wan port is blocked up until I mark it as my backup port.
I did that, port went up, I lots L2TP access..cancelled it, access was not restored.
In the end I resolved it by doing a factory reset and reconfiguring it.

In case policy based route is not possible, perhaps it can be replaced by a static route to the wired WAN IP (I may know the destination ip).

Thank you,
Yevgeny
by
.........................................
by
...........................

1 Answer

0 votes
by
Hello,

So what you want is when the request from LAN is requesting within the range of IP address of the L2TP it will go to the  L2TP Network.
Let say the L2TP network is 172.16.1.X and the LAN IP is 192.168.10.X

So when 192.168.10.X network do some request to 172.16.1.X it will not go to the Wired WAN network.
Then the rest will be going to Wired network?

It is best to share a picture or network topology of the said solution you are trying to implement.

Also this may help you: https://wiki.teltonika-networks.com/view/RUT950_Firewall#Traffic_Rules

Thank you and have a nice day!

Regards,
Jerome
by
Hi Jerome,

Thank you for your answer.
Lets say the Wired WAN interface ip is 51.56.133.1

The L2TP Gateway ip is 45.199.104.8
The 0.0.0.0/0 goes to 45.199.104.8

The LAN IP with the special case is 192.168.10.6

What I'd like to do is to force LAN host 192.168.10.6 go through 51.56.133.1 (and be natted to it) which is the wired WAN for all destinations (if possible), while keeping the current L2TP functionality working.

I use L2TP IP of RUT950 in order to have a public ip for OOB access (from WAN to LAN).
I would like to use the wired wan port in the described way (from LAN to WAN for the specific host only) because I expect this particular usage to be bw demanding and dont need an internet access to it if the wired wan port is down and therefore, I dont need it to be routed via the L2TP which is based in my case on cellular network).

Yevgeny
by

Hello, 

Could you test this :) 

1. Wan Config must be set to Load Balancing Mode where Main WAN as mobile and Secondary is Wired.

2. Load balancing Config will 3 for Mobile and 2 for Wired. 

3. Create these Traffic Rule rules. 
You can create these traffic rules by navigating to Network > Firewall > Traffic Rule > New Rule 
I used 10.10.1.0/24 network in my test for the said Traffic rule where my PC IP is 10.10.1.133 

Blocking 10.10.1.0 accessing WAN:

Allow Traffic 10.10.1.133 to access WAN 



Allow L2TP access to 10.10.1.0/24 


If you want to block 10.10.1.133 from accessing L2TP network you can create a new rule where source zone is LAN and Source IP: 10.10.1.133, the Destination zone is L2TP and action is reject.

You can play with the said traffic rules 



For a clearer images:

https://prnt.sc/vhr9h1 -> WAN Config
https://prnt.sc/vhr9yq -> Load Balancing 
https://prnt.sc/vhrbbm -> Blocking 10.10.1.0/24 network accessing WAN
https://prnt.sc/vhrbw9 -> Allow Traffic 10.10.1.133 to WAN
https://prnt.sc/vhrc8l -> Allow L2TP

Hope it helps. 

Regards,
Jerome

by
HI Jerome,

Thank you very much. I'll test it and revert.
Regarding routing, I understand that the Load-Balance method will provide available default routes to Wired-WAN or Mobile to be valid, and the traffic rules will determine the LAN sources which would be able to use them.

Yevgeny
by
The purpose why i used load balancing there is to make the different WAN source be active at the same time :) I haven't been able to fully test it on my side because for some firewall issue on the main network port is not open for L2TP so I cannot recreate the full scenario on my side. But i will suggest to test it on your side and if it is not working lemme know :)

Happy to help

Regards,
Jerome
by

Hi Jerome,

I decided to test it right away.

I did all the Firewall rules, then enabled Load-balance as you wrote.

I have noticed that my latency to the L2TP public ip which the RUT950 receives went lower. I'm pinging it from my pc over the internt. I conclude that the route from Teltonika to my pc over the internet took the wired-wan path.

Then I decided to check what happens if I shutdown the WAN port from my switch side - ping to the L2TP public ip of RUT950 dropped completely.

I assume that because RUT950 didnt recognize that the route went down to the wired-wan.
When I disabled load-balancing with Wired-wan, ping returned.
If Wired-WAN is down, wan2 line is absent.

Network Target IP gateway Metric
l2tp-Bras 0.0.0.0/0 X.X.104.8 0
wan2 0.0.0.0/0 X.X.133.1 10
ppp 10.88.222.136/30 0.0.0.0 0
ppp 10.88.222.137 0.0.0.0 0
lan 10.129.16.0/28 0.0.0.0 0
ppp X.X.104.8 10.88.222.137 0
l2tp-Bras X.X.104.8 0.0.0.0 0
wan2 X.X133.0/29 0.0.0.0 10


Yevgeny

by

Hello,

I have noticed that my latency to the L2TP public ip which the RUT950 receives went lower. I'm pinging it from my pc over the internet. I conclude that the route from Teltonika to my pc over the internet took the wired-wan path. 

The rule implies on the lan network of RUT950 not the network you of your PC. If it doesn't work you can play with static routes and metrics. 

Regards,
Jerome
 

by
HI Jerome,

What is strange that the 0.0.0.0/0 via the wired-wan has less attractive metric of 10, as opposed to metric 0 for the Bras default route.
I assume that the route to L2TP server shifts to be routed from Mobile to WAN2.
Though per the shared routing table, the route to L2TP server x.x.104.8 goes via the Mobile GW.

I'm also unsure why my route doesnt failover to Mobile once I deliberately fail wan2 route. It doesnt have a failover mechanism?

Yevgeny
by
Following your remark, I've added a route to my PC to Bras server IP X.X.104.8 and enabled LB.
Now my PC is routed via Mobile for OOB and the specific LAN host will take the preferred default route via WAN2.
I dont know why the default route via WAN2 is preferred but it works out for me in this scenario :)