FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
970 views 8 comments
by anonymous
Hello,

we can reach our router (RUT240) connected to LTE from our company network via the external ip address.

End devices are connected to this router with WLAN or LAN. these devices receive ip addresses via DHCP and can also reach the servers via ping or https in the company network.

Now we would like to reach the end devices on the router from the company network to provide remote support. Unfortunately, we don't get the router configured so that the devices that are connected to the WLAN or LAN can be reached.

We have created the zone WAN -> LAN with MASQ under Firewall - General and created the destination subnet under advanced.

In addition, we created a static route.

What else do we need? traffic rules?

Thanks

Regards

leusel
by anonymous

Hi all,

I'm having a similar issue with my RUT240.
I can't reach a devices https webui (443) that is on the LAN via the RMS remote access.
RMS VPN is working fine and all devices on the LAN are reachable.

The RUT WebUI and SSH are reachable via Remote Access.

My RUT240 configuration is as follows:

  • FW version = RUT2_R_00.07.03.4
  • eth0 & eth1 are bridged (I don't need a WAN)
  • Access to Internet is via 4G LTE
  • Firewall rules are as set per default configuration
  • The tcpdump package is installed
Who can help me to diagnose what is wrong with my configuration
Regards,

1 Answer

0 votes
by anonymous

Hello,

Please refer to the link to know more about port forwarding if the end devices are capable of the configuration feature: https://wiki.teltonika-networks.com/view/RUT240_Firewall#Port_Forwards

Or please refer to the mentioned link to know more about VPN functionality: RUT240 VPN - Teltonika Networks Wiki (teltonika-networks.com)

Regards,

Akash R

by anonymous
Hi,

with a port forward rule we got access to an end device via the external IP of the router. But that doesn't help us, we need access to all devices connected to the router.

We have a VPN tunnel from our company to the external IP addresses of the router. Through this tunnel we reach the external address of the router and the outgoing traffic is also routed to our company.

We need a NAT rule that forwards incoming traffic to the router's external IP to the router's LAN address range.

Regards

Christian
by anonymous

Hello,

If you want to access all the devices connected to your router, you have to create the multiple port forward rule as you did for the first device.

NAT -> https://wiki.teltonika-networks.com/view/RUT240_Firewall#NAT_Rules

Please refer to the above link to know about the NAT configuration in RUT240.

Regards,

Akash R

by anonymous
Hi,

is it possible to use an example to show where to set it? Screenshot? Thanks
by anonymous

Hello,

All the Screenshot and detailed explanations is already present in the above-mentioned link please do refer it for more info.

to configure port forwarding WEBUI-> Network-> Firewall-> Port Forwards

Once after configuring one device again click on the Add button to configure more number of devices.

Thank you

by anonymous
We tried the settings but it just doesn't work.

Can you tell us which rules exactly need to be activated. Thanks.
by anonymous
Hello,

To make it work you have to configure the ports in the end device. (to the port you are trying to connect). And no other rules need to be activated to enable the port forward feature.

Thank you
by anonymous

Hello Christian,
your objectives are unclear to understand by me, I don't know what is in your example external IP address, is it public IP address of far-end uderlying connection in Internet over which you setup Tunnel between Companies or is it far-end subnet you want routing and connectivity?

Quote: We need a NAT rule that forwards incoming traffic to the router's external IP to the router's LAN address range."
with a port forward rule we got access to an end device via the external IP of the router. But that doesn't help us, we need access to all devices connected to the router.

I guess there are two (or even more) different approaches and designs here, to be consider, what you really need to configure in your case:

1) Routing between Companies-LANs with using VPN-Tunnel (no additional NAT operation required, this allows to utilitize all ports for all hosts, just like in normal LAN). In such case, you configure Firewall two zones that will allow traffic between companies:
{CompanyA} RUT-LAN -> VPN-Tunnel {Company B}
{CompanyB} VPN-Tunnel -> RUT-LAN {Company A}
+
add some corresponding static/dynamic routing at both ends /routers/ that will direct and forward traffic over LANS over setup VPN-Tunnel. In this case you will have full connectivity and can utilitize all ports to LAN connected behind RUT, for remote support.

Alternatively, you can create rule S-NAT or D-NAT subnet of Company-A connected RUT240 into external IP (like point-to-point subnet of VPN-Tunnel) and create rules for PAT - Port Address Translation. However this approach will allow you to have and operate one-to-one NAT bindings, so when you will try connect from Company-B (your subnet) through Tunnel-VPN, meaning for every host placed behind RUT-LAN you can use only once the same port, so you cannot use it again in other rules (like repeating same port).
What I'm saying is, if you want to use common well-know ports like: HTTPS/443 or Remote Desktop - 3389 - this will not be possible to clone or duplicate rules - you will need to build other rules with using different ports like : 443x [1-9] for every single host and many entry rules.

2) Access remote devices via Internet-outside-public IP address (with using NAT from private->public IP  + PortForwarding rules).

In this case, you utilitize outside-public-Internet IP address of Company-A, and create NAT Rules at RUT240 + set PortFowarding rules. Same behavior happens what I wrote above.

You can create rule S-NAT or D-NAT subnet of Company-A connected RUT240 into external IP (but in this case it's public routable IP address in Internet not VPN) and create rules for PAT - Port Address Translation. However this approach will allow you to have and operate one-to-one NAT bindings, so when you will try connect from Company-B (your subnet) through Internet, meaning for every host placed behind NAT - network connected to RUT-LAN you can use only once the same port, so you cannot use it again in other rules (like repeating same port).
What I'm saying is, if you want to use common well-know ports like: HTTPS/443 or Remote Desktor - 3389 - this will not be possible to clone or duplicate rules - you will need to build other rules with using different ports like : 443x [1-9] for other hosts.

What comes better to my mind is to place another jumper-Server in RUT-LAN network. Thanks to that you can create only one PortForwarding rule entry for 443/3389 to that single jumper-server. Then you set connect from your Company-B into that Server at Company-A (whatever if this VPN or Internet) and then from that Server you jump to other machines you want support and create another (internal) session like HTTPS/SSH/RDP etc. using ports you want, because you trigger it in same LAN segment - meaning this traffic no longer be inspected by gateway RUT Router - it's treated as normal traffic in LAN segment.

I hope I gave you some theoretical cluse to find your approaches. But it's also worth to know some limitations. Wish you good luck.

Kind Regards,
Robert.