Question

Hello,

My RUTX11 is connected to LTE network for internet access and it is also connected to my firewall wan as an optional interface. That works fine giving the secondary wan interface for my firewall, but only for outgoing connections.

I need to have a static public IP at the end of RUTX11 (on my firewall's optional wan to be exactly)

Unfortunately, LTE network gives access to the internet through shared public IP address.

In order to have a static public IP address, I have an additional L2TP service from another ISP provider. This is a point-to-point connection that can be made over the internet. When connected the static public IP is received on this interface.

The idea is to establish L2TP connection from RUTX11 via a mobile LTE in order to get static Public IP assigned. Then I need somehow to bridge/passthrough the IP of this L2TP connection to my firewall's optional wan interface (connection excluding RUTX11 NAT).

Actually, I can successfully connect to L2TP with L2TP client over mobile LTE network, but I can't figure out how to bridge/passthrough the IP of this "interface" to the lan port that is connected to dedicated optional wan for my firewall.

Obviously, I want to avoid NAT and to have this IP transparently assigned to wan in order to allow my firewall to see the source IPs for filtration incoming connections and to have SNAT rules in place for outgoing connections.

I have RUTX11 running on the latest RUTX_R_00.02.06.1 firmware.

Thank you!

Comments

Did you make any progress with this?

Fully understand what you are trying to achieve and looking for  a similar solution to your original question

---

I'm here to let you know that I have managed to deploy the configuration as early mentioned and it works perfectly fine!

The L2TP service from another ISP provider provides me with a block of static IPs 85.X.X.177/29

Here is what I did:

1. I have created a vlan with ethernet port connected to the firewall's wan.
2. Created a new lan interface based on a new vlan with assigned first available IP 85.X.X.177 of the additional block IP 81.X.X.177/29 and bridged with l2tp connection
3. IP 85.X.X.178 is allocated to the firewall's wan port.

Also, I configured the corresponding firewall rules on RUTX11 to make l2tp connection behind firewall (in the wan zone) and allowing the traffic of block IP 85.X.X.177/29 to be forwarded to a new lan interface.

As the result, all incoming packets coming to 85.X.X.177/29 hits this new lan and are available on firewall's WAN port IP 85.X.X.178

Cheers! I hope it helps

---

Hey Andrey,

Many thanks for your swift reply and good news you successfully achieved this configuration.

Any chance you provide a couple of screen shots of steps 1 and 2 as it's not immediately clear to me what you've done.

Like you I have a /29 IPv4 block allocated and the ability to create an Ethernet VLAN on my primary router Astaro UTM

Answer 1

Hello, 

Regarding this issue of yours could you try playing with Traffic Rules or with Zone forwarding. 

These links may help you: 
RUTX11 Firewall - Teltonika Networks Wiki (teltonika-networks.com)
RUTX11 Firewall - Teltonika Networks Wiki (teltonika-networks.com)

From that link you can allow or reject the incoming request from the L2TP side.

Also if this doesn't solve your problem I would like you to draw/sketch your network topology and what are you trying to achieve for me to have a better picture and to be able to help you more efficiently.  

Thank you and have a nice day!

Regards,
Mellow
 

Comments

Hi Mellow,

thank you for the information above. Unfortunatly, I can't understand how can I use Traffic Rules or with Zone forwarding to achive my desirable configuration. It seems to me this is to be applied for firewall purpose only.

I'm not the best in drawing therefore I'll try to explain once more as simple as possible.

Current topology is:

• UTM(firewall) WAN(192.168.5.2) <-> LAN1(192.168.5.1) RUTX11 [Mobile LTE]
• RUTX11 is connected to internet via [Mobile LTE (10.x.x.x internal network)] -> shared external public IP X.X.X.X (dynamic)
• L2tp client of RUTX11 is connected to LNS over [Mobile LTE] -> personal external public IP Y.Y.Y.Y (static)

I need to tranfer L2tp IP Y.Y.Y.Y (static) to UTM WAN like a bridge or IP passthrough.

Finally I need to have UTM(firewall) WAN(Y.Y.Y.Y)

---

Hello,

I would like to have a clear understanding so you're main goal of connecting the RUTX11 as an L2TP client for the purpose that RUTX11 will get a WAN IP that is static correct? And I would like to clarify if the L2TP tunnel is established the RUTX11 will have a Static  WAN IP address (SIM Card) that you want to assign to the firewall right?

Kindly clarify me with this.

Regards,
Mellow

---

Hi Mellow,

Thank you for having an interest in this issue. I hope this is not the issue at all andit is just the lack of knowledge you may help me to overcome.

The goal is to have ethernet frames/IP packets from/to L2TP IP interface to come in/out on UTM(firewall) WAN interface.

I assume to have something similar to Bridge/IP passthrough feature that is available for Movile LTE interface itself, where that interface is possible to passthrough to dedicated MAC of UTM(firewall) WAN interface.  I'm open to other solutions too.

I would like to have a clear understanding so you're main goal of connecting the RUTX11 as an L2TP client for the purpose that RUTX11 will get a WAN IP that is static correct? 

Correct.

And I would like to clarify if the L2TP tunnel is established the RUTX11 will have a Static  WAN IP address (SIM Card) that you want to assign to the firewall right?

Correct. L2TP tunnel goes over the SIM Card connection and it gives Static public IP. That would be ideal to assign this Statis public IP to UTM firewall.

Thank you!

---

Hello, 

Hmm.. To be honest I am not sure if this will work I would like you to configure this setting. 

1. Try configure the RUTX11 first to connect to your L2TP server so that the Mobile Interface will have the L2TP WAN IP Address (Sim card) 
2. Next is configure the RUTX11 in Network > Interfaces > Mob1S1A1 (If sim 1 is used) MOB2S1A1 (if sim 2 is used). 
Configure it to be Passthrough mode instead of Bridge mode so that the router will be still having network connectivity and retain its functionalities. 

You may refer to this screenshot as reference: https://prnt.sc/10u9bnp

For more information about this one you can refer to this link: RUTX11 WAN - Teltonika Networks Wiki (teltonika-networks.com)

If you're firewall is supporting L2TP VPN you could also test using Bridge mode. So that the SIM Card IP address will be directly assigned to the firewall itself and RUTX11 will be working as transparent mode (Invisible in your network topology).

I hope it helps

Regards,
Mellow

---

Hi Melow,

I will try as you advised probably tomorrow. But I can see the potential problem here. If my memory serves me I was trying this before posting here.

I'm not sure if L2tp client of RUTX11 assigns WAN IP address to Mobile Interface. L2tp just makes the point-to-point connection, doesn't it? It seems to me L2tp client was able to connect only when Network > Interfaces > Mob1S1A1 was configure in NAT mode. This is how L2tp was able to reach and connect to LNS endpoint, to establish tunnel and to get Static public IP on this, let's say, L2tp interface.

When Network > Interfaces > Mob1S1A1 was set in Passthrough mode then an internal IP 10.x.x.x of Mobile Interface has been assigned to the firewall. In the same time, L2tp connection were running independently on RUTX11.

Your idea should work in case there is ppp over Mobile Interface to be available. This is how l2tp can run within Mobile Interface. As far as I know, it is not implemented in RUT and this makes me sad: 1, 2.

This is why the idea for know to find out how to passthrough the l2tp connection itself? The other idea is if that is possible to make an new interface dedicated to l2tp connection and passthrough this new interface?

My firewall support L2tp VPN and I was relying on this idea. Unfortunately, this doesn't work as it's intended to work. I have raised the support ticket with the vendor and the investigation is going for more than a month already. This is why I seeking for some workaround.

Kind regards,

Andrey

---

Hello Andrey,

Before i was verifying if when the L2TP interface is established the Sim card was getting the public ip address that's why I referred you to use Passthrough mode but it seems it would be not possible. If I am correct you want to avoid RUTX11 NAT functionality because you're firewall cannot identify where the packet came from when it is forwarded by RUTX11 right? Kindly clarify things with me so that I will be able to forward this to our RnD team.

A network sketch would be great with matching sample IP addresses.

Also can we communicate via PM.

Regards,
Mellow

---

Hi Mellow,

yes, I know what you were trying to verify that aspect and this actually confused me. I don't know how technically is possible to establish L2tp from within Sim card, but this is great if that is possible. This is why I have clarified my actual setup is using RUT11's L2tp client.

You are absolutely right to the point why I'm trying to avoid RUTX11 NAT. I want my firewall to identify where the packets came from. Also, the packet coming from behind the firewall has to go with SNAT rule and dedicated Statis public IP applied as the source.

The network sketch actually will contain just two network devices UTM [WAN port] <-> RUTX11 [LAN port]. The samples of IP really depend on the solution you would advise and it is flexible.

What I need is to use RUTX11 as a gateway where the WAN connection is established by L2tp connection (ISP2) over LTE Mobile (ISP1). The ideal is to have this IP assigned to UTM [WAN port]. The connection where the traffic is routed to UTM is acceptable if the packets come recognised by the source IP.

I'm happy to communicate via PM. I'm just not sure how to do it.

KR,

Andrey