FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
414 views 2 comments
by anonymous

Hi there

Site-to-site question once more, but those I found did not solve my problem. 

I have a RUT955 with firmware version RUT9XX_R_00.06.09.2 with an internal IP of 192.168.111.1 and acting as a router for several devices attached to it via LAN and WLAN ("remote network"). One such a device is an ESP mit the internal IP address 192.168.111.70.

The RUT is connected as a client to an OpenVPN server (Synology NAS) in the "main network" with an internal address there of 192.168.1.200. The OpenVPN network is 10.8.0.0, the RUT gets assigned 10.8.0.6. 

Routing in the OpenVPN connection is set up so that I can reach all clients of the main network such as a Windows PC with the address 192.168.1.15 for example.

By creating a static route on the NAS (=OpenVPN server) of
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1
and on the PC of
route ADD 10.8.0.0 MASK 255.255.255.0 192.168.1.200
I can reach the RUT at its OpenVPN IP of 10.8.0.6.

I am, however, at a loss how to set up routing so that ultimately I can reach 192.168.111.70 (network client of the RUT, itself OpenVPN client) from the server network. I tried with adding an additional route on the NAS such as
ip route add 192.168.111.0/24 via 10.8.0.1 dev tun0
but without luck. I just do not understand enough of networking to get it, also whether the RUT needs to be configured somehow to perform NAT. 

Any help is greatly appreciated!

[For explanation why I try to set up the static route on the NAS and/or the PC: I cannot setup routing on the "main" network's gateway as this is an ISP provided device which cannot properly be configured - but reaching the RUT's clients from the NAS would suffice ultimately].

1 Answer

0 votes
by anonymous

Hi,

Would be great to see routes on these devices (route -n, ip route commands) and the topology. 

You can reach 192.168.1.0/24 network from 192.168.111.0/24, but cannot reach 192.168.111.0/24 from 192.168.1.0/24?

Just a few thoughts.

It seems that NAS knows how to route 10.8.0.0/24 network. What about routing to 192.168.1.0/24?

Is RUT955 aware of the 192.168.1.0/24 network on the other end of the tunnel? Is VPN interface used as default gateway?

Does the device on the 192.168.1.0/24 network knows that it is supposed to route 192.168.111.0/24 through NAS? i.e is the route configured or default gateway points to NAS?

Does the gateway configured on ESP point to RUT955 (192.168.111.1)?

What are the firewall configuration? Does firewall allows VPN traffic to LAN zone (OpenVPN to LAN)? Network -> Firewall -> General.

Kind Regards,

Andzej

by anonymous

Hi Andzej
Thanks for getting back!

I tried to paint a simplified topology diagram - following.

ip route on 192.168.1.200 (server, also OpenVPN server) is:

default via 192.168.1.1 dev ovs_bond0  src 192.168.1.200
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1
172.18.0.0/16 dev docker-1c0f28c3  proto kernel  scope link  src 172.18.0.1 linkdown
172.19.0.0/16 dev docker-307872f8  proto kernel  scope link  src 172.19.0.1
192.168.1.0/24 dev ovs_bond0  proto kernel  scope link  src 192.168.1.200
192.168.111.0/24 via 10.8.0.1 dev tun0

ip route on RUT955 is:

default dev wwan0  proto static  scope link  src 10.2.158.248  metric 1
10.2.158.248 dev wwan0  proto static  scope link  metric 1
10.8.0.0/24 via 10.8.0.1 dev tun0
192.168.1.0/24 via 10.8.0.1 dev tun0
192.168.111.0/24 dev br-lan  proto kernel  scope link  src 192.168.111.1


So: 

You can reach 192.168.1.0/24 network from 192.168.111.0/24, but cannot reach 192.168.111.0/24 from 192.168.1.0/24?

Exactly.

It seems that NAS knows how to route 10.8.0.0/24 network. What about routing to 192.168.1.0/24?

Works. Traceroute to 192.168.1.132 with one hop.

Is RUT955 aware of the 192.168.1.0/24 network on the other end of the tunnel? Is VPN interface used as default gateway?

Yes, Traceroute from RUT955 (192.168.111.1) to 192.168.1.132 is:

traceroute to 192.168.1.132 (192.168.1.132), 30 hops max, 38 byte packets

1 10.8.0.1 (10.8.0.1)  43.656 ms  45.575 ms  38.514 ms

2 192.168.1.132 (192.168.1.132) 47.680 ms  37.805 ms  39.761 ms

Additionally, a Windows PC on the 192.168.111.0/24 network has no trouble reaching shares on 192.168.1.200 and so on.
192.168.111.1 is the default gateway for 192.168.111.0/24, but only 10.8.0.0/24 and 192.168.1.0/24 are routed via 10.8.0.1 (VPN).

Does the device on the 192.168.1.0/24 network knows that it is supposed to route 192.168.111.0/24 through NAS? i.e is the route configured or default gateway points to NAS?

This is where I am struggling. I tried to set the route as above (192.168.111.0/24 via 10.8.0.1 dev tun0) and also via 10.8.0.6, but without luck. 

Additionally, even if I could tell 192.168.1.200 that 192.168.111.1 is the same as 10.8.0.6 (RUT, which it can reach), would then the RUT know that the packet from 192.168.1.200 sent to 192.168.111.70 incoming from the VPN needs to be forwarded in its subnet? 

Does the gateway configured on ESP point to RUT955 (192.168.111.1)?

Yes, it does.

What are the firewall configuration? Does firewall allows VPN traffic to LAN zone (OpenVPN to LAN)? Network -> Firewall -> General.

Firewall is set to allow forwarding from OpenVPN to LAN (and WAN) - screenshot follows

P.S.:

I cannot post the diagram / screenshot as they seem to count against the 12000 character limit.
Topology is here: https://pasteboard.co/NUcPHq7a9rCG.png

Firewall settings: https://pasteboard.co/6KP7zaD5rIlf.png

by anonymous

Hi,

Are you able to reach devices on 192.168.111.0/24 from the 192.168.1.200 OpenVPN server (NAS) itself?

You said you have the following route on the PC:

route ADD 10.8.0.0 MASK 255.255.255.0 192.168.1.200

The RUT955 has an IP address of 10.8.0.6 (VPN tunnel IP), so the PC sends the packet to OpenVPN server (192.168.1.200). But when you try to reach 192.168.111.0/24, the PC does not have a route, so it uses a default gateway (which I suppose is 192.168.1.1 and is not aware of any OpenVPN tunnels/networks). Try adding a route to your PC in 192.168.1.0/24 network:

route ADD 192.168.111.0 MASK 255.255.255.0 192.168.1.200

Kind Regards,

Andzej