subscribe to our Youtube


14455 questions

17168 answers


0 members

We are migrating to our new platform at Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
1,150 views 1 comments
by anonymous


Here is the Situation:

We have already 100+ Mobile Routers in our Business working and now want to switch to Teltonika, so we know that the Firewall Rules in Our Network are correct.

We have set some Port Forward Rules to access all the Services we need, and Traffic to the RUT240 is working.

The Problem:

We have a Synology SMTP Relay Set up for Email forwarding. But from the Laptop on the RUT240 Network I can not ping the Synology.
From the RUT240, I can ping it with no problem.

I think I am missing something small that has to be activated and hope that someone can help me.

Attached the Troubleshoot File.

Thanks for every Help and Greetings

2 Answers

0 votes
by anonymous


The issue is caused by the firewall - more specifically due to missing (disabled) "MASQUERADE" option. Please enable "MASQUERADING" option in the WebUI, at Network > Firewall > General Settings [default tab] > [Enable MASQUERADING on 'Mobile_WAN' & 'WAN' zone] > Save & Apply settings .

It might be necessary to restart firewall service (via CLI, use command "/etc/init.d/firewall restart" or "fw3 restart" for that) or to simply reboot the router after enabling this option so that it takes effect as soon as possible. I'm also leaving an explanation below regarding why this MASQ option should be enabled and what needs to be done when we choose not to enable it.

All packets, which leave the router via <any gateway/interface> that falls under <zone with MASQUERADE enabled> will have its source IP address translated to <egress interface> IP address. For example, in your case, the following should be happenning:

  1. Laptop generates packet with source IP address of to destination IP address of
  2. Laptop notices that this destination IP address is not on the same broadcast domain - it forwards the packet to the router [to assist with routing of the packet]
  3. The router checks its routing table [RIB] - there is no specific route to such destination, therefore the packet should be routed via its mobile interface to a further gateway

Here's where MASQUERADING (SNAT) becomes relevant

  1. With MASQUERADING is enabled, the router will "translate" source IP of the laptop packet from to This means that a packet, that was generated by the laptop, would end up with source IP address of instead of the initial IP address of the laptop. Destination IP address is not changed at this point.
  2. The packet is then routed all the way to the Synology device and eventually it comes back to the router. Router "remembers" that it translated a packet for a specific destination and forwards that packet back to the initial host (laptop).

If we do not use MASQUERADING (SNAT), then the source IP address of the packet doesn't change. This can also work, but additional [static or dynamic] routes must be configured on all devices in the path of that packet so that it can be routed TO the destination and then BACK to the original sender. When we route to the internet, SNAT is mandatory, because private IPs [RFC1918] shall not be routed on the internet.

This explains both things - why your router was able to reach the Synology device (it was using its mobile interface to reach Synology device) and why your laptop cannot reach it (no SNAT applied to the laptop packet).

Best answer
by anonymous

Thank you for helping me, Masquarading I had not considered and did not know that this is so important.
After activating and restarting the router everything works as it should.
Thanks also for the explanation, I have learned something again.

0 votes
by anonymous

Could you execute a tcpdump on the RUT from a ssh or CLI console:

tcpdump -i any -n -v 'icmp'

and retry the ping from the laptop ? What do yous see on the tcpdump screen ?