Question

Hi

I want to be able to access all the private IP range of each RUT950 192.168.2.0 through the ZeroTier VPN network For this I made routing rules in zeroTier

Managed Routes
192.168.11.0/24	Via	10.147.20.61
192.168.12.0/24	Via	10.147.20.104
192.168.13.0/24	Via	10.147.20.56

 

Example: I want to access my 192.168.2.4 equipment from my third routers. For that I enter the address 192.168.13.4 So the packets leave in 10.147.20.56 then the router queries the address 192.168.2.4 (locally) then send the pakets parts 10.147.20.56 to send them to the final return address 192.168.13.4

My problem is that the pakets are not coming back! I think a route is missing in the router and / a configuration to do in the RUT950

What should you do to make it work?

Information N°1 :  With 192.168.2.0/24 via 10.147.20.56 with a SNAT it works. But with this setup I can only talk to one router. Which corresponds to this Wiki (https://wiki.teltonika-networks.com/view/ZeroTier_Configuration), but there is the configuration for the IP class 192.168.1.0 on the PC side and the RUT950 side which must be the same. but that's not my ca here

Information N°2 :  A person posted the same subject as me but I do not know what are the config which were made in the RUT950 - https://community.teltonika-networks.com/33066/rut-lan-access-over-zerotier-vpn-cannot-get-onto-lan-of-rut?show=33066#q33066

Below is a diagram representing the equipment and the desired access :

Thank you in advance for your response

Laurent

Answer 1

Hi,

It doesn't look that complex in the first place.

First of all, you said you don't know where's that configuration the person in "Information 2" talked about. It's in the firewall part of WebUI.

https://wiki.teltonika-networks.com/view/RUT950_Firewall_(legacy_WebUI)

Second thing, as I understood, you want to reach that top computer 192.168.11.3? Or do you want everything to communicate and be able to reach everything?

It seems that some of your routes don't look logical to me. What's behind 192.168.11.X, 12.X, 13.X subnets? Is there any reason why you pushing routes there? Also, you're saying you want to access "at", but that leaves me with thing that I don't what exactly you want to access.

The only logical thing I would see here is that you want to access that computer on the top, that let's assume is 192.168.13.4 (or anything) and you want computers behind routers to access it.

In this case, you want to have 192.168.13.0/24 via 10.147.20.X and that's it. Also, does your zerotier have a preassigned route for the LAN of itself?

Usually, it's the first line ( 172.25.0.0/16 (LAN) )

But I hope that masquerading will help you with your issues and if not - I would really suggest looking into your routes and logic behind it.

If you look at the screenshot that I've attached, you can even see that for different routes it uses different subnets of the LAN IP.

EB.

Comments

Hi

Answer to your question: Second thing, as I understood, you want to reach that top computer 192.168.11.3? Or do you want everything to communicate and be able to reach everything? 

I want to have access to the whole IP range (192.168.2.0/24) to have access to all devices This for each RUT950 router. This access is done via the top computer (in the diagram) I specify that the computers at the bottom (represented on the diagram) are automate. They have two IP ports with different IP class. The IP class 192.168.2.0/24 is an internal IP class that does not have a gateway. And the internal IP address is enforced and cannot be changed. At the top of the diagram it is a computer I present my wish differently: The addresses 192.168.11.X, 12.X, 13.X are routes (configured in Zerothier) to access each RUT950 individually. For each 192.168.11.X address I want to access the equipment recorded at RUT950 (replace the X with the last digit of the connected equipment Example: To access the 192.168.2.3 address of a RUT950 N ° 1, it is accessed via the road 192.168.11.3 I see that each route exists (192.168.11.X, 12.X, 13.X) on the top computer

Below is a printout of the routing table On this side it looks good to me.

Below is a printout of the routing table
But the route from 192.168.2.0/24 to gateway 10.147.20.56 does not exist in RUT950

And for months that is where the problem lies.

I added a new route (see print screen below) But it still doesn't work.

I think the packets from the top computer arrive fine in each RUT950 but on the other hand the RU950 does not return the packets (in the gateway 10.147.20.56) Here is the configuration of ZeroThier

Diagram showing the path of a packet (which it would have to do for it to work):

I have two questions : 

1) Can we see the packages arriving in the Zerotheir RUT950? and see the lost packets displayed? I think it will help a lot with the diagnoses. 

2) Do you have an idea of the configurations to be made in the RUT950 ?, Route, rule or other?

Thank you in advance for your response

Laurent

---

Hi

I continued my research I noticed that when I create a route "route add -net 192.168.13.0 netmask 255.255.255.0 gw 192.168.2.1" and a NAT Souce I get a packet in the LAN network (so a 192.168.13.0 packet goes through LAN 192.168.2.0) but the packet does not return to the ZeroTier VPN. I did a lot of testing but I don't know how to get this package back into ZeroTier Can we do a routing be two networks? ie the zto network (zeroThier) and the br-lan network (Local Network). I do not know how to do? Can you help me?

Thank you in advance for your response

Laurent