FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
411 views 13 comments
by anonymous
Hi,

All is working fine with OpenVPN Cloud. I would like from device connected on LAN to reach specific IP address (Azure Cloud) on internet via the mobile WAN. How to set such connection ?

Best regards,

Pat

1 Answer

0 votes
by anonymous
Hi,

Based on your comment, it seems like you need to implement a policy-based routing solution. To get this solution to work, you can try one of the following options:

VPN Policy Routing:

https://wiki.teltonika-networks.com/wikibase/index.php?title=OpenVPN_traffic_split&mobileaction=toggle_view_desktop

Advanced static routes:

https://wiki.teltonika-networks.com/view/RUT955_Routing#Advanced_Static_Routes

Also, I will drop a link below from another query on the forum related to this topic:

https://community.teltonika-networks.com/39990/configure-three-different-clients-route-different-devices

Please let me know if this solution helps you with your query. I will keep an eye on your comments.

Regards.
Best answer
by anonymous
Hi,

I have read the information linked in the previous message but frankly speaking it's not clear for me.

Do yo have an example if I would like to reach only one specific address let's say www.google.com from my device connected to the LAN of the router ?

The router is connected to 4G Mobile and has client VPN (OpenVPN Cloud) enabled. I guess, this is why I don't have internet on the device connected to the LAN of the router. I can also do a remote access from the laptop where the VPN client is running. All is working fine except the ability to access an public address on internet (Azure Cloud for example).
by anonymous
Hi,

Since you have OpenVPN Cloud as a service, you could try to enable such a configuration on the OpenVPN platform. The following link from the OpenVPN documentation explains how to do so:

https://openvpn.net/cloud-docs/openvpn-cloud-internet-access/

I hope this information helps to solve your query.

Regards.
by anonymous
Hi,

If I would like keep the tunnel splitting ON ( use the router ISP for internet traffic), I guess I need to configure the firewall of the router to block all internet traffic from my device connected to the LAN (192.169.22.96) and open only the connection to the azure cloud. Is it possible ?

Regards,

Pat
by anonymous
Hi,

Let's state some grounding first. Based on your previous comments, the router is probably learning a default route from your OpenVPN cloud connection; in consequence,  you can't get internet access from your LAN-connected devices. As stated in the OpenVPN link documentation I sent you before, that's something you can fix on your OpenVPN cloud configuration. However, if you still want to split the traffic on your router, one of the options is configuring an advanced static route to a specific IP address (Azure Cloud) from your subnet or just one LAN-connected device. Please, carefully read the following documentation regarding this topic, and let me know any doubt it may arise when you try to configure this solution.

Advanced static routing:

https://wiki.teltonika-networks.com/view/RUT950_Routing#Advanced_Static_Routes

Also, the following example might be helpful:

https://wiki.teltonika-networks.com/view/LAN_Traffic_Splitting_Using_Advanced_Static_Routing_Rules#Adding_new_instance_of_a_routing_table

I will be waiting for your answer.

Regards.
by anonymous
Hi,

If I set the DNS server to the same as the default gateway (router LAN address) on the device connected to the LAN, I get internet access.

Regards,

Pat
by anonymous
Hi Pat,

I'm glad you came up with such a clever solution. If you have any further questions, please let us know to bring you support.

Have a nice day.

Regards.
by anonymous
Thanks, the last step is to set a filter traffic to let only a specific address to reach internet. Now the device has full access to internet. Do you have an idea how to configure a traffic filter from LAN device 1 ?

Regards,

Pat
by anonymous

Hi,

You can create two traffic rules as follow:

https://community.teltonika-networks.com/?qa=blob&qa_blobid=12945851248812744699

WebUI Path: Network > Firewall > Traffic rules:

The first rule to allow traffic from one IP address from your LAN:

https://community.teltonika-networks.com/?qa=blob&qa_blobid=14050564533891919339

The Second rule is to block all traffic from the whole subnet LAN:

https://community.teltonika-networks.com/?qa=blob&qa_blobid=2459241506898502292

The logic behind the configuration shown in the links above is to accept or reject the traffic forwarding from the LAN Zone to the WAN zone. Since OpenVPN has its firewall zone, you shouldn't lose connectivity to the cloud.

Let me know if this configuration works for you. 

Regards.

by anonymous

Hi adevs,

I have blocked all internet traffic as described. I would like add a rule to let the device to synchronize with external NTP server (time.windows.com) by adding a rule to UDP with port 123, but it doesn't work. I need to add any other rule ?

If I disabled the rule blockTraffic it's working.

by anonymous
Hi,

Could you please verify the source UDP port from your NTP client is in deed 123 when it's trying to establish a connection with the server? As a test, you can let all the source UDP ports from your LAN connect to the internet or let them reach the specific Windows NTP server UDP port 123.

The other possible cause could be the router is not updating its firewall rules order and is currently reading the block-traffic rule first. You could try to enter the Command-Line interface and execute the following command:

/etc/init.d/firewall restart

Please wait for a couple of minutes and check.

If anything from the above doesn't work, please try rebooting the device to be sure it has a clean boot and check again.

I will be waiting for your feedback.

Regards.
by anonymous

Ok, it's my request in the cmd that use another port, but  windows 10 sync use port 123.

I need to reach server for Widows Update, I set a rule for TCP port 443 and 80. But I guess it's not the best solution ?

Is it possible to create a whitelist (http://windowsupdate.microsoft.com, ...., ..... ,  etc...)  ?

by anonymous
Hi,

It is possible to create a white list; however, it might not work if you are currently blocking all the traffic to the internet.

Below you can find more information related to this function:

https://wiki.teltonika-networks.com/view/RUT955_Web_Filter

Based on your comments, here are some suggested options that might work for you:

1. You could specify the server IP address on the traffic rule. (Through a nslookup command in the CMD, you can get this IP address).

2. Let the LAN-Connected devices reach any server listening to a specific port. (Your current solution)

3. Combining the options above.

However, it seems that the last two questions are no longer inside the initial query scenario. Therefore, following the forum best practices, I will kindly ask you to submit another query for these upcoming questions regarding Traffic rule configuration since your initial query subject is no longer the issue.

Regards.
by anonymous
Hi adevs,

Thank you very much for your great support !

Regards,

Pat