FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
+2 votes
419 views 2 comments
by anonymous

When I cold boot an RUT955, UDP/51820 destination packets are not transmitted from the WAN port. This occurs internally (hangs wg_wg0) or from the LAN (client hangs waiting for a response). The Wireguard packets are not in a zone, as only local services on the modem speak to servers on the vpn. LAN clients create their own connection to the vpn.

On the RUT955, it registers the packets from the router and the LAN client in the iptables connection tracker. But the upstream router does not see packets. I have no idea where they are going.

root@Teltonika-RUT955:~# cat /proc/net/nf_conntrack | grep udp

ipv4     2 udp      17 177 src=192.168.5.251 dst=35.189.5.78 sport=51820 dport=51820 packets=561 bytes=91852 src=35.189.5.78 dst=192.168.5.251 sport=51820 dport=51820 packets=10 bytes=1396 [ASSURED] mark=15872 zone=0 use=2

ipv4     2 udp      17 175 src=192.168.1.113 dst=35.189.5.78 sport=48231 dport=51820 packets=340 bytes=59028 src=35.189.5.78 dst=192.168.5.251 sport=51820 dport=48231 packets=1 bytes=120 [ASSURED] mark=15872 zone=0 use=2

If I stop iptables, the packets start flowing and Wireguard connects

root@Teltonika-RUT955:~# /etc/init.d/firewall stop

root@Teltonika-RUT955:~# wg

interfacewg_wg0

  public key: NilYEVNErIPshyYk34z73zizkWuR8sLprbVUNDUDfQE=

  private key: (hidden)

  listening port: 51820

peer0UzrQ+u8Wjr1234S9coMP1j2ilDa3l599CwHYPKH4s=

  endpoint: 35.189.5.78:51820

  allowed ips: 10.7.0.0/16, 10.11.0.0/16

  latest handshake: 1 second ago

  transfer: 5.46 KiB received, 80.68 KiB sent

  persistent keepalive: every 21 seconds

If I start iptables, everything keeps working.

root@Teltonika-RUT955:~# /etc/init.d/firewall start

root@Teltonika-RUT955:~# wg

interfacewg_wg0

  public key: NilYEVNErIPshyYk34z73zizkWuR8sLprbVUNDUDfQE=

  private key: (hidden)

  listening port: 51820

peer0UzrQ+u8Wjr1234S9coMP1j2ilDa3l599CwHYPKH4s=

  endpoint: 35.189.5.78:51820

  allowed ips: 10.7.0.0/16, 10.11.0.0/16

  latest handshake: 1 minute, 12 seconds ago

  transfer: 54.24 KiB received, 192.62 KiB sent

  persistent keepalive: every 21 seconds

If I reboot, the problem comes back, and a restart fixes it.

root@Teltonika-RUT955:~# /etc/init.d/firewall restart

by anonymous

Thanks ZygimantasBliu, I added "/etc/init.d/firewall restart" to /etc/rc.local
On reboot, the wireguard packets are forwarding as expected.

2 Answers

+1 vote
by anonymous

Hello,

As a workaround you could add the command /etc/init.d/firewall restart in the /etc/rc.local file to automate the restart of your firewall once the device boots up.

I would also like you to generate two troubleshot files: one after device restarts and the wireguard is not working, the other after you restart firewall.

Best regards,

Žygimantas

by anonymous
We have the same problem with RUT955 and FW 00.07.02.4.

The workaround with the firewall restart in rc.local works - will there be a fix for the problem in a firmware update?
0 votes
by anonymous
I have the same problem on a rut240 running RUT2_R_00.07.02.7

Another rut240 of mine, with the exact same config, does not have the problem.

Mathieu