FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
1,438 views 5 comments
by anonymous

Hello,
issue: I'm trying to set Passthrough mode at RUT240 for Mobile LTE and assign public SIM IP address to behind connected-device Cisco 897 and at the same time still have remote management over RUT240 via HTTPS or SSH from Internet. Passthrough works OK, but remote access from Internet to RUT240 doesn't work any longer, after setting this up. No option to login from Internet side to public IP address into Teltonika.

In older Legacy firmware RUT2XX_R_00.01.14.6 this worked 100% OK, I could do this.
With newer firmware RUT2_R_00.07.02 or RUT2_R_00.07.03 this isn't possible fully or something is missing.

I attach screenshots with correct configuration RutOS RUT2XX_R_00.01.14.6 firmware that I tested as walkthrough.
Teltonika and Cisco are implemented only at my desk lab - no production network.
SIM IP address I get from ISP is: 46.77.101.129 and it’s static public IP. Cisco MAC address is: f80f.6fcc.a6fc

Topology that I use is:
laptop -- (LAN) Cisco 897 (Gi8 DHCP) -- UTP cable -- (lan DHCP) Teltonika RUT240 (MOB1S1A1 mobile LTE) -- Internet

My goal is:
Cisco 897 (IP 46.77.101.129 will have all traffic allowed IN/OUT port 1-65534; except 9443 & 9022) -- Teltonika RUT240 (mgmt local + HTTPS/SSH 46.77.101.129/32 only on ports 9443/9022 and Passthrough all other traffic IN/OUT re-directed to Cisco)

Screenshots for working config at Legacy RUT2XX_R_00.01.14.6:

I have had access to Teltonika RUT240 from Internet through WebBrowser and its IP: 46.77.101.129:9443 and same time this IP was passthrough to Cisco.

Meanwhile, I tried to upgrade firmware from RUT2XX_R_00.01.14.6 directly to RUT2_R_00.07.02 with keeping settings – upgrade finished successfully, but after this and reload RUT240 device crushed, because no further management and option to log-in to RutOS with IP 192.168.1.1 by default through DHCP (I have had to set static my Ethernet adapter). Perhaps too much changes in firmware to handle keeping settings. I did Fabric factory reset, downgraded firmware back again into previous version 14.6.

I tried again upgrade path from RUT2XX_R_00.01.14.6 into very first version of newer RUT2_R_00.07.01.2 keeping settings – after upgrade finished, it successfully kept settings - Passthrough worked, but remote managed settings tab were keeping configured settings, as earlier, but I have had experienced no further way to remote access HTTPS/SSH port into my outside SIM public IP address from Internet into Teltonika RUT240, when cable was plugged-into Cisco from Teltonika.

I also tried to follow upgrade path chain firmware: RUT2XX_R_00.01.14.6 > RUT2_R_00.07.01.2 > RUT2_R_00.07.02 > RUT2_R_00.07.03 – upgrade finished successfully, kept some settings of Passhthrough working, but again no further option to remote access login HTTPS/SSH with my outside SIM public IP address into Teltonika. From perspective of Cisco 897 router, it looks like:
(testing RUT240 and RUT2XX_R_00.01.14.6)

interface GigabitEthernet8
 ip address dhcp
end

ip route 0.0.0.0 0.0.0.0 dhcp

Router#sh int GigabitEthernet8
GigabitEthernet8 is up, line protocol is up
  Hardware is PQ3_TSEC, address is f80f.6fcc.a6fc (bia f80f.6fcc.a6fc)
  Internet address is 46.77.101.129/30


GigabitEthernet8           46.77.101.129   YES DHCP   up  up

Router#sh ip route
S*    0.0.0.0/0 [1/0] via 46.77.101.130
      46.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        46.77.101.128/30 is directly connected, GigabitEthernet8
L        46.77.101.129/32 is directly connected, GigabitEthernet8

Looks like Cisco gets from DHCP subnet /30 with helping virtual-gateway IP .130 created on Teltonika when set to Passthrough mode, based on routing table + ARP table:
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  46.77.101.129           -   f80f.6fcc.a6fc  ARPA   GigabitEthernet8 -> CISCO
Internet  46.77.101.130           0   001e.4228.01ac  ARPA   GigabitEthernet8 -> TELTONIKA

Router#ping 46.77.101.129 - ping to itself - OK
Sending 5, 100-byte ICMP Echos to 46.77.101.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Router#ping 46.77.101.130 - ping to virtual-IP Gateway on Teltonika - OK
Sending 5, 100-byte ICMP Echos to 46.77.101.130, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Router#ping 8.8.8.8 – ping from Cisco to Internet Google (sourced from 46.77.101.129) – OK
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48 ms


Interesting fact:
https://46.77.101.129:9443 is accessible through WebBrowser to Teltonika from Internet perspective via HTTPS 9443 using credentials [admin/xxx] and at the same time virtual-gateway IP 46.77.101.130 is also responding and reachable when I open up WebBrowser via HTTPS 9443 – page opens and asks for login, but when try to login it forbiddens access – even when I enter correct login or password. I even created for test another different user, but same results. Why this page even shows up?


I tried to upgrade FW with keeping settings RUT2XX_R_00.01.14.6 to RUT2_R_00.07.01.2 - it has mapped and ported earlier config 14.6. Passthrough works 100% OK but no remote management over Internet public IP. See screenshots below:

Router#ping 46.77.101.129 > still looks OK, ping to itself
Sending 5, 100-byte ICMP Echos to 46.77.101.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Router#ping 46.77.101.130 -> now, you can't ping virtual-IP Gateway at Teltonika
Sending 5, 100-byte ICMP Echos to 46.77.101.130, timeout is 2 seconds:
Success rate is 0 percent (0/5)


Router#ping 8.8.8.8 > still looks OK - Passthrough works fine
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/45/72 ms

I don’t know why now I cannot ping ICMP virtual-IP 46.77.101.130 from perspective of Cisco IP 46.77.101.129, directly. Maybe now its normal behavior, but I suspect Firewall rules can mess with this.
In my Firefox I don’t have remote mgmt when I open WebUI via HTTPS: 46.77.101.129:9443 – it doesn’t respond and looks like timeout and no welcome page, but when I try 46.77.101.130:9443 this opens up welcome webpage and and asks for credential to login, when trying it forbiddens access – still I use same admin/password defined earlier in Teltonika.

I checked Firewall tabs RutOS RUT2_R_00.07.01.2 and this seems OK.

I did Fabric factory reset and tried once again manually configure everything, because of possible something not working from imported settings. Still I get the same results.
I tried to recreate similar configuration in RUT2_R_00.07.02 or 07.03 just by clicking manually Pages respectively – passthrough works OK 100%, but when I try force it to have remote access via HTTPS/SSH with my outside SIM public IP address into Teltonika RUT240, this doesn’t work at all. Again something is failing. Ended up with same result.

Each time, when I tried to reconfigure step-by-step in different firmware-version, I collected Troubleshoot files + config files for analysis, attached in ticket.

by anonymous
This problem also applies for all versions RutOS newer software RUT240_RUT2_R_00.07.01, 07.02 and 07.03.

2 Answers

0 votes
by anonymous

I think I finally crafted and found solution to my own ticket that resolves the case, by myself.
Below you can find full description and explanation. However, this should be also addressed and fixed somehow globally by Teltonika Development guys in next RutOS versions.

First of all, once you enable in RutOS Remote Management options -> System -> Administration -> Access Control [General] that involves use of SSH/HTTP/HTTPS like:
- Remote SSH access over port 22 (my example 9022)
- Enable remote HTTP access over port 80
- Enable remote HTTPS access over port 443 (my example 9443)

Teltonika RUT240 device (I guess other devices too) should create specific rules that allows such traffic to be handled by device itself. You should find these rules exactly in Firewall -> Port Forwards section.

When RUT240 works in normal NAT mode for Mobile interface -> all sections of Firewall are operating and taking care of the traffic, like: General Settings / Port Forwards / Traffic Rules / NAT Rules.

When RUT240 works strictly in Passthrough mode for Mobile interface (changed from default: NAT mode) -> only Firewall->Port Forwards section is the matter for us and other sections are skipped and not used for analyzing traffic, anymore. This is how IP traffic is passing through to other device connected behind Teltonika.
That’s why, even when you have still set and active rules allowing specific IP traffic in configuration,
they will not work any longer in practice (for example, you can check out e.g: Traffic Rules subtab in Firewall).
These kind of rules works when the router is set to NAT mode only, in other modes they do not apply.

Unfortunately, current firmware version 07.03 of RUT240 doesn't directly inform the user that he must additionally configure these rules manually, for remote management to work.

I wish Teltonika RUT240 should also additionally inform us too with some information message,
when changing operating mode from NAT to Passthrough and saving settings about it, like:
ATTENTION! Changing operating mode from NAT to Passthrough actually disables analysis of forwarded IP network traffic, including most of built-in firewall rules. For other traffic to be handled and destined to Teltonika make sure to configure such rules manually in Port Forwards section, if needed.” -> this could be informative for standard user that he also needs to perform some actions to something to work.

Generally, I think it should doesn't matter you in what order you configure sections, as final result you should be able to have device set as Passthrough and full Remote Management to it, so it can be either way configured:
first set Passthrough <> then set Remote Management options
or vice-versa
first set Remote Management options <> then set Passthrough

From perspective of different firmware versions this looks as follows:

* Legacy RutOS firmware RUT2XX_R_00.01.14.6 didn’t have any problem with set Passthrough mode + automatically create additional set of Port Forwards rules, so everything was working out of the box.

User didn’t need to care about it, because everything was working, by default.
Once you reconfigured RUT240 device you could see its effect and in running, when navigating to:
Network -> Firewall -> Port Forwarding, where we see our intended rules for remote management.

Rules on the list:
- Enable_SSH_WAN_PASSTHROUGH
- Enable_HTTP_WAN_PASSTHROUGH
- Enable_HTTPS_WAN_PASSTHROUGH

Clearly, rules says what they are intended and supposed to do [based on my Example for HTTPS]:
Traffic from any source from Internet destined to port TCP HTTPS 9443 is forwarded (redirected) and handled by router-itself/RUT240/, meaning its internal interface as 127.0.0.1, which is Loopback interface

This makes sense to me. It's logical and understandable. Same thing happens for HTTP and SSH.
Remember: here its internal operating interface for working rule is interface Loopback – 127.0.0.1.

We can see this rule details by clicking Edit:

Moving on to next scenario *Migration from Legacy 14.6 RutOS firmware into first RUT2_R_00.07.01.2:

Upgrading from Legacy RUT2XX_R_00.01.14.6 with keeping settings into very first RUT2_R_00.07.01.2.
Here, it looks like rules has been imported and recreated exactly in the same way, but in my case, remote management failed for HTTPS/SSH. Take a look at screen in Firewall -> Port Forwards section:

Here, example rule Enable_HTTPS_WAN_PASSTHROUGH, even that looks similarly as in Legacy firmware,
it’s no longer usable and not working correctly operational as it states. We will not have remote access. Why?

It’s because in newer firmware internal interface as Loopback – 127.0.0.1 is not applicable and recognized as valid interface for definition when creating and writing new Forwarding rules. It must be selected exactly the same as lan interface, specifically. So, now for new rules, to be created, we see that valid interfaces on the drop down list are as follows:

In fact, behind the scene, in RutOS we see that Loopback interface still exist, but it shouldn’t be no longer used in definition of the rules. Some other mechanisms works here. I dunno.

Overall, this is the Root Cause of Fault for missing HTTPS remote access - mismatching interface that should be changed from wrong 127.0.0.1 (Loopback) to correct 192.168.1.1 (Teltonika-RUT240.com) interface.
If you manually Edit specific rule on the Port Forwards list and set parameter “Internal IP address” and its value to: 192.168.1.1 (Teltonika-RUT240.com), you should restore full management access via HTTPS.

It looks like to me, while migrating settings from Legacy firmware RUT2XX_R_00.01.14.6 into RUT2_R_00.07.01.2,
software didn’t correct and mapped old configuration interface Loopback into new definition rule using lan interface (192.168.1.1 Teltonika-RUT24.com). This should be fixed, I guess in upcoming software releases.

Last case scenario using newest RutOS firmware, both: *RUT2_R_00.07.02 and RUT2_R_00.07.03:
when configuring everything from factory default settings, set Passthrough for Mobile interface mob1s1a1 and Remote Management options.

Whatever approach you choose, at the beginning, you end up with the same result, failed:
first set Passthrough <> then set Remote Management options or vice-versa
first set Remote Management options <> then set Passthrough

Going to Firewall -> Port Forwards section we see that list is completely empty, but firmware should by default add here automatically respective rules for remote HTTPS and SSH access (my Example port 9443 and 9022). Nothing is added by RutOS, sadly.

Now you need to manually create specific rules in order to have external remote access via HTTPS and SSH.

Rules will allow and enable incoming traffic for remote access via HTTPS 9443/SSH 9022 to be redirected (to be forwarded and terminated) at Teltonika, while rest remaining traffic for other ports to be passed through (transparently) to Cisco.
Interesting fact is that Interface 192.168.1.1 (Teltonika-RUT240.com) in rules points to port lan, this is only rule-mapping, so regardless of current status of physical port Up/Down – those rules will always cause redirecting traffic to internal interface at Teltonika 9443/9022.

We add here new rules by typing:
Name = Enable_SSH_WAN_PASSTHROUGH
External Port = 9022
Internal IP Address = 192.168.1.1 (Teltonika-RUT240.com) > choose from drop down list
Internal Port = 9022

Name = Enable_HTTPS_WAN_PASSTHROUGH
External Port = 9443
Internal IP Address = 192.168.1.1 (Teltonika-RUT240.com) > choose from drop down list
Internal Port = 9443


Click Add and then Save & Apply

Detailed configuration of policy HTTPS_WAN_PASSTHROUGH after clicking button Edit:

This should fix problems with remote access.

Best answer
by anonymous
What I wish and want from Teltonika Developers Team is to prepare fix and patch for RutOS firmware with:
- *to be consider* attention warning message for Remote Access section describing what device is doing behind scene (adds specific Port Forwards rules)
- *to be consider* attention warning message (additional) for Passthrough mode at Mobile interface
- Create re-mapping in policies between Legacy 14.6 and newest version 07.03 – when upgrading from old firmware this will detect old configuration and specifically rewriting them to reflect new rule styling policy Port Forwards in newer software.
I guess need to changes Loopback interface to 192.168.1.1 (Teltonika-RUT240.com).
- by default, in newest RutOS RUT2_R_00.07.03 firmware automatically create Port Forwards rules once again, same way as it was created in Legacy firmware, when you allowed remote access for HTTPS/SSH in Access Control section.

Business justification and demands:
- For single Teltonika RUT240 device, its fairly easy to reconfigure it offline on the desk to make it work correctly.

- In real world, in my Organization we have hundreds of: deployed, installed and already online running Teltonika RUT240 at customer sites, each of them set as Passthrough providing backup LTE Internet access or backup VPN-based solution. Right now, it’s impossible to upgrade firmware from Legacy into newer RutOS 07.03 and future coming, because we will stuck and lose existing remote access and management over HTTPS/SSH to it.
Sending field technician/engineer on site only to simply change config locally is not an option, it’s not affordable and cost-expensive, in this situation. This has to be fixed globally.

What worse the situation is, RUT240 purchased from local dealer comes into my company logistic with factory default Legacy firmware 14.6, so currently nobody cares about upgrading at startup-config and keep updated firmware that fixed many hang’ups and unstable work and problems from the past that were already patched.
by anonymous
Thank you for sharing the solution and providing a very detailed report.

The issue has been forwarded to the developers.

Port forwarding rules should be generated automatically. It is an overlook. Currently, automated firewall configuration with passthrough mode is set to be re-implemented with 7.5 firmware release.

Best regards,
0 votes
by anonymous

I forgot, below I also attach screenshots starting from scratch configuration in RUTOS 07.02:

This time Firewall section is much more cleaner than earlier

Generally, same way I tried to configure RUT240 in latest available firmware RUTOS 07.03.

by anonymous

Hello,

Thank you for bringing this up and sharing your detailed testing report.

I have done some testing of my own and indeed legacy and current RutOS firmware version behave differently when treating remote device access, when it is configured in passthrough mode.

For one, legacy firmware displays its mobile interface wwan0 with a 1.2.3.4 IP address assigned, while RutOS has no address assigned.

Also, when accessed remotely, tcpdump capture shows that packets from remote connection are forwarded to some passthrough.lan host, which directs to RUT device and allows to login to the router. RutOS, on the other hand, transparently forwards packets from remote host to the device which has public IP from RUT assigned, completely ignoring router in between. 

Both devices though remain accessible over RMS platform.

I will consult the developers, which behavior is the intended one.

Best regards,

by anonymous
Thank you for the answer.

I have spend many days and did more research and succeeded with some configuration changes that finally allows remote access.

I will share explanation in next answer for Community.