WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUT240: no traffic trough Openvpn tunnel

0 votes
394 views 5 comments
by anonymous
We have connected RUT240 with Sophos XG using Openvpn. VPN tunnel is established, both sides refreshing their routing tables.

Problem now: we have no traffic into or from the lan behind the RUT240 (Axis webcam and behnke ip-phone). Its worked until this week, but because of firmware update or any change in configuration we can´t rebuild the working state. Even if we restore an older backup onto the RUT we have no success.

Because we find no entries in the sophos firewall log, we assume there must be a firewall problem on RUT site.

Luckily we have RMS access, but without any good idea ...

Thx in advance for every hint
by anonymous
Edit:
found this message via logread "write to TUN/TAP : Invalid argument (code=22)"
added LZO = yes in config.

Now we have traffic from local lan->sophos->RUT->remote LAN

But the other direction is not working properly.
The RUT240 is masquerading all packages from lan. Because of SIP this should not happen and the sophos doesn´t like these packages also.

1 Answer

0 votes
by anonymous
Hello,

I need to understand a little more about the configuration you are doing. Can you attach some kind of diagram with IP addresses and configurations? I would also like to know if you can attach the backup you had before the firmware upgrade. Also, if you can attach a new troubleshooting file after the last change you made it would be very helpful.
by anonymous
an scheme diagram and old vs. new backup are attached. Troubleshoot file is up to date.

It seems not to be a firmware problem, but firewall. We must have a big block on our eyes. We can´t work with port forwarding. So we must connect to the devices behind the RUT by their own ip adresses and vice versa.

First part is working great, but the second. The Behnke phone must connect to the PBX but we find no connection attempt from this device in Sophos firewall log - neither green or red.

Solution is for the moment, to take the old file /etc/config/firewall, dated from 2022/06/20. No also the phone is working, but devices in 192.168.205.0 don´t have outgoing access to internet. VPN only. Not as bad, but sometimes you need internet also in desert.
by anonymous

Hey, 

To rule out firewall issues you can allow all traffic momentarily. That is, Accept in all fields where you have Reject. In this case, Input, Forward, and in the WAN→Reject area are all in Accept. On the other hand, I see issues in the routing table. I don't see the gateway for the internet output, here you see it. 

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 wwan0

10.126.75.203   0.0.0.0         255.255.255.255 UH        0 0          0 wwan0

10.168.207.0    10.200.139.148  255.255.255.0   UG        0 0          0 tun_c_sconnect

10.200.128.192  10.200.139.148  255.255.255.240 UG        0 0          0 tun_c_sconnect

10.200.128.224  10.200.139.148  255.255.255.240 UG        0 0          0 tun_c_sconnect

10.200.136.0    10.200.139.148  255.255.255.0   UG        0 0          0 tun_c_sconnect

10.200.140.128  10.200.139.148  255.255.255.224 UG        0 0          0 tun_c_sconnect

10.200.140.160  10.200.139.148  255.255.255.224 UG        0 0          0 tun_c_sconnect

192.168.205.0   0.0.0.0         255.255.255.0   U         0 0          0 br-lan

I imagine that you go out to the internet through the WAN interface 10.126.75.203. You can modify the table with the command by ssh IP route add 0.0.0.0.0/0 via 10.126.75.203

by anonymous

In fact telefonica/o2 germany assigns private ip addresses on wan interface.

But should the first line

0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 wwan0

doing the same as ip route add 0.0.0.0/0... ?

FYI: we have changed the VPN from openvpn to ipsec for better dealing with the forced disconnect by lte provider (we hope so)
Furthermore we have examined _all_ firewall protocols on the sophos and found weird sip communication (high ports, low ports in all directions) between enlisted devices. The firewall rules are now clean (seems so), but the ipsec rules and settings must be refined. In particular I´m wondering there are no more entries listed by ip route by comparison to then former openvpn connection.

by anonymous

Even if you have a private IP from the provider, you should have a line as shown above (IP route add 0.0.0.0.0.0/0 via 10.126.75.203). In any case, were you able to get the IPsec tunnel up? You should check the router's routing table. You can see that with the OpenVPN you had the routes created for the other devices. In the case of Ipsec you should verify that these routes exist. If you set all the Teltonika firewall rules to accept, it should not be a problem on the RUT240. I might suggest to check Sophos device to see what is going on. Maybe a traceroute analysis can help you to know where packets are being lost or filtered.