WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUT IPSEC firewall

0 votes
376 views 1 comments
by anonymous
Hello,

I would like 2 Rut955 to communicate via an Ipsec Vpn. It will be established by either RUT.
All ports will be blocked except 9080, 5004 and ping (icmp).

I think I need to make 2 rules per port:

- The first one to allow flows from the lan of RUT 1 to the lan of RUT 2 and specifying the port number,

- The second rule to allow flows from RUT 2 lan to RUT 1 lan, specifying the port number and the source of the flows via ipsec ( -m policy -dir in -pool ipsec)

This configuration does not work, I have a screen shot.
Can you tell me where my errors are.
Can you give me the list and the meaning of the extra arguments for example ( -m policy -dir in -pool ...

Best regards,

2 Answers

+1 vote
by anonymous

Hello,

-pool isn't correct, try with --pol ipsec

- The first one to allow flows from the lan of RUT 1 to the lan of RUT 2 and specifying the port number,

Be sure to have the correct values for "local subnet" and "remote subnet"  in Connection Settings->General Settings

To allow specific ports only and icmp:

iptables -A FORWARD -s lan1net/24 -d lan2net/24 -p tcp -m multiport --dports 5004,9080 -j ACCEPT

iptables -A FORWARD -s lan1net/24 -d lan2net/24 -p udp -m multiport --dports 5004,9080 -j ACCEPT

iptables -A FORWARD -s lan1net/24 -d lan2net/24 -p icmp -j ACCEPT

iptables -A FORWARD -s lan1net/24 -d lan2net/24  -j DROP

There may be a glitch in the default firewall, if the traffic doesn't flow as expected add this rule on both sides:

iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT

Regards,

0 votes
by anonymous

hello,

thank you for your advice.
I will test these commands:

iptables -A FORWARD -s 10.1xx.26.0/24 -d 10.1xx.27.0/24 -p tcp -m multiport --dports 5004,9080 -j ACCEPT
iptables -A FORWARD -s 10.1xx.26.0/24 -d 10.1xx.27.0/24 -p udp -m multiport --dports 5004,9080 -j ACCEPT
iptables -A FORWARD -s 10.1xx.26.0/24 -d 10.1xx.27.0/24 -p icmp -j ACCEPT
iptables -A FORWARD -s 10.1xx.26.0/24 -d 10.1xx.27.0/24 -j DROP
iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT

these commands are to be configured via :

  • network/Firewall/Custom Rules
  • CLI
  • or SSH

on the 2nd RUT, I will reverse lan1net/24 and lan2net/24, ok ?


thanks


best regard

by anonymous
CLI or ssh will do, once you are confident they work as expected put them in Custom Rules. And reverse the source and destination lans on the second RUT.