FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
495 views 27 comments
by anonymous
I have now the secound Modem (RUT360 there is no space) so now i have the RUTX14 :). I need to use the Netmaker but no support for this only Wireguard. I need to make this like a engress point. and connect to Netmaker.

Will be support for this in near future ?  Or what are the steps to use this VPN solution with forwarding from GSM to LAN.

Also need to have multi subnets 172.x.x.x and 192.x.x.x to be able to connect to all machines on the line.

Thank you

1 Answer

0 votes
by anonymous

Hello,

  

Natively, as you mentioned, Netmaker is not supported on our devices. However, it seems like it's possible to install it and get it running. To do so:

  • Login to the devices SSH shell. Instructions on how to do this can be found here.
  • Run these commands:
    • wget https://raw.githubusercontent.com/gravitl/netmaker/master/scripts/netclient-install.sh | VERSION="0.17.1" sh -
    • chmod +x netclient-install.sh
    • wget https://raw.githubusercontent.com/gravitl/netmaker/master/scripts/openwrt-daemon.sh
    • chmod +x openwrt-daemon.sh
    • ./netclient-install.sh (this step may take a while)
    • cp openwrt-daemon.sh /etc/init.d/netclient
    • /etc/init.d/netclient enable
    • Reboot the device
    • /etc/init.d/netclient start
    • netclient join -t <network_ID> (copy the command from web interface clicking on Access keys -> keymapvpn -> join command)

These instructions were made by Reddit user u/Cucalister. The original post detailing them can be found here.

There are also pre-compiled .ipk files for this package, however, I did not have much success running the service after installing it. 

Hope this helps!

  

Best regards,
DaumantasG

by anonymous
Hi, many thanks, here was a little diffrent what i was doing :)

yes the real ipk not funtioning, is running only 1-5 minutes ... , now i made the connection. let's see if will remain active :)

BTW => if you are doing this Egrees gate you will use the eth0 or br-lan or wwan0(sim modem) ?

do you change also the Firewall / Routing rules ?
by anonymous

Hello,

I don't have a server setup to test this on, so I have not done it personally, however, in the Reddit post, it is suggested to use the LAN IP, so br-lan network IP should be used (192.168.1.0/24 by default). Let us know how it goes!

Best regards,
DaumantasG

by anonymous
Ok, i tried this but for now no luck.RUTX14 => Keyence scanner SR-2000 => same subnet. Egress on BR-LAN, ingress active also

connected from notebook i have internet so the connection out is ok, I can ping also this gateway, but not the RUT, don't know why.
by anonymous
is looking like now is only a problem of Firewall and routes:

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: Destination port unreachable.

Reply from 192.168.1.1: Destination port unreachable.

Reply from 192.168.1.1: Destination port unreachable.

Reply from 192.168.1.1: Destination port unreachable.

C:\Users\bnejedz>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Reply from 10.86.238.1: Destination port unreachable.

Reply from 10.86.238.1: Destination port unreachable.

Reply from 10.86.238.1: Destination port unreachable.

Reply from 10.86.238.1: Destination port unreachable.

Ping statistics for 192.168.1.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

I don't know what to change in the RUTX :( to function :(. My other network (home) all is functioning withou problem.
by anonymous
Hello,

  

Indeed, this seems like a firewall issue. Could you try creating a separate network interface, binding the connection to it, and then creating a separate firewall zone for this interface and allowing the input, output, and forwarding? Then this zone could be experimented with (allowing forwarding from different zones, etc.)

I'm not quite sure how this package is implemented and do not really have a way to test it. Perhaps someone more experienced with this package will stumble upon this thread and will be able to help out.

If the question about Netmaker is brought up by our RnD team, I'll inform them, that there is interest in it.

    

Best regards,
DaumantasG
by anonymous
I made today a WireGuard interface to see how is this configuring :). And i need to say taht i made all same (almoust) and still not running :(. "prace" is the Netmaker VPN, made according the link. i am thinking is is not needed to have in => option proto 'none' to change to 'netclient' or 'wireguard' ? (nemaker is using the wireguard ... ) , i will add also my firewall rules. If you some bad ajustments ...  Thank you

config interface 'prace'

        option proto 'none'

        option ifname 'prace'

        option metric '6'

config interface 'wgN'

        option proto 'wireguard'

        option private_key 'SKs6M+xxxxz7sxxx5iyFbxxxR2DfcgcDjuK4P/Ijh00='

        option listen_port '51820'

        option public_key 'enEmHxxxxawYmxxxRbsTxxx/YFyGB0cToisOKIVBW1Q='

        option disabled '1'

config wireguard_wgN 'praceWG'

        option public_key 'pXkZxxxxrS+85V0sSvtipLOxxxxCOoYrGT+H5dudW0='

        option route_allowed_ips '1'

        list allowed_ips '0.0.0.0/0'

Firewall:

config defaults '1'

        option flow_offloading '1'

        option syn_flood '1'

        option input 'REJECT'

        option output 'ACCEPT'

        option forward 'REJECT'

        option drop_invalid '0'

        option auto_helper '1'

        option synflood_rate '25/s'

        option synflood_burst '50'

        option tcp_syncookies '0'

config zone '2'

        option name 'lan'

        option input 'ACCEPT'

        option output 'ACCEPT'

        option forward 'ACCEPT'

        option mtu_fix '0'

        option masq '0'

        option log '0'

        option conntrack '0'

        option network 'lan'

config zone '3'

        option name 'wan'

        option input 'REJECT'

        option output 'ACCEPT'

        option forward 'REJECT'

        option mtu_fix '1'

        option network 'wan wan6 mob1s1a1 mob1s2a1'

        option log '0'

        option conntrack '0'

        option masq '1'

config rule '5'

        option name 'Allow-DHCP-Renew'

        option src 'wan'

        option proto 'udp'

        option dest_port '68'

        option target 'ACCEPT'

        option family 'ipv4'

        option enabled '1'

config rule '6'

        option name 'Allow-Ping'

        option src 'wan'

        option proto 'icmp'

        option family 'ipv4'

        option target 'ACCEPT'

        list icmp_type 'echo-request'

        option enabled '1'

        option utc_time '0'

config rule '7'

        option name 'Allow-IGMP'

        option src 'wan'

        option proto 'igmp'

        option family 'ipv4'

        option target 'ACCEPT'

        option enabled '1'

config rule '8'

        option name 'Allow-DHCPv6'

        option src 'wan'

        option proto 'udp'

        option src_ip 'fc00::/6'

        option dest_ip 'fc00::/6'

        option dest_port '546'

        option family 'ipv6'

        option target 'ACCEPT'

        option enabled '0'

config rule '9'

        option name 'Allow-MLD'

        option src 'wan'

        option proto 'icmp'

        option src_ip 'fe80::/10'

        list icmp_type '130/0'

        list icmp_type '131/0'

        list icmp_type '132/0'

        list icmp_type '143/0'

        option family 'ipv6'

        option target 'ACCEPT'

        option enabled '0'

config rule '10'

        option name 'Allow-ICMPv6-Input'

        option src 'wan'

        option proto 'icmp'

        list icmp_type 'echo-request'

        list icmp_type 'echo-reply'

        list icmp_type 'destination-unreachable'

        list icmp_type 'packet-too-big'

        list icmp_type 'time-exceeded'

        list icmp_type 'bad-header'

        list icmp_type 'unknown-header-type'

        list icmp_type 'router-solicitation'

        list icmp_type 'neighbour-solicitation'

        list icmp_type 'router-advertisement'

        list icmp_type 'neighbour-advertisement'

        option limit '1000/sec'

        option family 'ipv6'

        option target 'ACCEPT'

        option enabled '0'

config rule '11'

        option name 'Allow-ICMPv6-Forward'

        option src 'wan'

        option dest '*'

        option proto 'icmp'

        list icmp_type 'echo-request'

        list icmp_type 'echo-reply'

        list icmp_type 'destination-unreachable'

        list icmp_type 'packet-too-big'

        list icmp_type 'time-exceeded'

        list icmp_type 'bad-header'

        list icmp_type 'unknown-header-type'

        option limit '1000/sec'

        option family 'ipv6'

        option target 'ACCEPT'

        option enabled '0'

config rule '12'

        option name 'Allow-IPSec-ESP'

        option src 'wan'

        option dest 'lan'

        option proto 'esp'

        option target 'ACCEPT'

        option enabled '1'

config rule '13'

        option name 'Allow-ISAKMP'

        option src 'wan'

        option dest 'lan'

        option proto 'udp'

        option target 'ACCEPT'

        option enabled '1'

        option utc_time '0'

config include '14'

        option path '/etc/firewall.user'

config rule '15'

        option dest_port '22'

        option proto 'tcp'

        option name 'Enable_SSH_WAN'

        option target 'ACCEPT'

        option src 'wan'

        option enabled '0'

config rule '16'

        option dest_port '80'

        option proto 'tcp'

        option name 'Enable_HTTP_WAN'

        option target 'ACCEPT'

        option src 'wan'

        option enabled '1'

config rule '17'

        option dest_port '443'

        option proto 'tcp'

        option name 'Enable_HTTPS_WAN'

        option target 'ACCEPT'

        option src 'wan'

        option enabled '1'

config rule '18'

        option dest_port '4200-4220'

        option proto 'tcp'

        option name 'Enable_CLI_WAN'

        option target 'ACCEPT'

        option src 'wan'

        option enabled '0'

config rule '19'

        option src_port '5353'

        option src 'lan'

        option name 'Allow-mDNS'

        option target 'ACCEPT'

        list dest_ip '224.0.0.251'

        option dest_port '5353'

        list proto 'udp'

        option enabled '1'

config include 'pscan'

        option port_scan '0'

        option type 'script'

        option reload '1'

        option path '/usr/bin/port-scan-prevention'

        option x_max '0'

        option null_flags '0'

        option syn_fin '0'

        option syn_rst '0'

        option nmap_fin '0'

config include 'miniupnpd'

        option type 'script'

        option path '/usr/share/miniupnpd/firewall.include'

        option family 'any'

        option reload '1'

config zone '22'

        option name 'prace'

        option masq '1'

        option input 'ACCEPT'

        option forward 'REJECT'

        option network 'prace'

        option output 'ACCEPT'

        option mtu_fix '0'

config zone '23'

        option name 'wireguard'

        option masq '1'

        option input 'ACCEPT'

        option forward 'REJECT'

        option network 'wgN'

        option output 'ACCEPT'

        option mtu_fix '0'

config rule '26'

        option dest_port '51820'

        option src 'wan'

        option name 'Allow-wireguard_wgN-traffic'

        option target 'ACCEPT'

        option vpn_type 'wireguard'

        option proto 'udp'

        option family 'ipv4'

config forwarding '30'

        option dest 'wan'

        option src 'lan'

config forwarding '31'

        option dest 'wireguard'

        option src 'lan'

config forwarding '32'

        option dest 'prace'

        option src 'lan'

config forwarding '33'

        option dest 'lan'

        option src 'wireguard'

config forwarding '34'

        option dest 'lan'

        option src 'prace'
by anonymous
i turned "off" firewall => adding all ACCEPT. Now from outside i can see the webpag of RUTX. but not the scanner :(

so is something with routing now :(

i need all from netmaker/wireguard <=> eth0

The egrees point: if i add

eth0 => no webui

br-lan => ok => no connection to other devices (ex. webui 192.168.1.1 , scanner 192.168.1.2)

wwan0 => ok => no webui
by anonymous

Hello,

Please attach the troubleshoot file from the router by generating it in System → Administration → Troubleshoot.

Make sure the Wireguard zone can forward traffic to the LAN zone. You could also try creating a firewall rule to allow port 80 of the Device (input) zone to be reachable from the Wireguard tunnel. This should let you reach the device WebUI.

Otherwise, perhaps there is a route missing on your end to the LAN of RUTX14?

Best regards,
DaumantasG

by anonymous

https://community.teltonika-networks.com/?qa=blob&qa_blobid=8153771362984072077

I added the Troubleshoot. 

Wireguard is configured but not used, i am using the Nemaker VPN => dev nm-prace

by anonymous

Hello,

Indeed, it seems like this feature would require some additional development, which is not planned at the moment. As RutOS somewhat differs from "vanilla" OpenWRT, the configuration would also be different.

I'm afraid I will not be able to find the exact procedure on how to achieve this, however, if I have some free time in the future, I will investigate it further.

For now, I'd recommend considering alternatives like ZeroTier, which is already implemented into RutOS. DMVPN Phase 3 configuration also allows client-to-client communication.

Best regards,
DaumantasG

by anonymous
I understand :(,

 the rpoblem that we have Nemaker server ...

btw i see that i am not alone who is asking about Teltonika to support Netmaker. I will still try to investigate more, and try different setups :), if i find something i will come back. Looking forward for your reply ;) and hope with solution :) Many thanks.

P.S.

 i tried also to add gateway, route from to no success for now.
by anonymous
If you manage to find the solution, we'd be glad if you could share it here, so that anyone looking for it could save some time figuring it out. Thanks!

Best regards,
DaumantasG
by anonymous

https://community.teltonika-networks.com/?qa=blob&qa_blobid=11194554831588887883

Managed to see 1 ip tru the tunnel 192.168.1.2 => connecting only y Web (the rest ports nt functioning)

and also the other one scanner 192.168.100.10 => for now can not see / can not ping :( 

by anonymous
Hello,

  

In the firewall rules, try changing the Wireguard zone to allow forwarding, input, and output. This may help.

Also, are you able to access the WebUI using the tunnel IP of RUTX14 or the LAN IP?

  

Best regards,
DaumantasG
by anonymous

https://community.teltonika-networks.com/?qa=blob&qa_blobid=351204370790742178

https://community.teltonika-networks.com/?qa=blob&qa_blobid=2362254479017863537

new finding:

1. rutx14 => back to factory state

2. reinstall all =>

now the problem:

  when i use WAN port => all running ok

  when i use SIM then => not running :(

what i need to change to run with Sim ?

by anonymous

Hello,

  

If you're using WAN and Mobile connections at the same time, try enabling the load balancing between these two interfaces in Network → Failover, and select Load Balancing instead of Failover in the top-right corner.

Let me know if this helps.

    

Best regards,
DaumantasG

by anonymous

Hello, i am not ussing, was only a test ... due to not functioning. When i added WAN => all started to function without problem VPN ... all. When i remain on SIM then NOK. is like something is missing.

I done also the Failover , Load balancing ..., when i pick out the WAN cable => no more communication ... , modem has internet, when i try opkg update all is ok ..., but no VPN / no possiblity co webui by VPN ... is like Sim is out ... Wan is ok. What is missing ?

Is like WAN has different rulles like mob1s1a1

P.S.

 1. when i use WAN => VPN is receiving the right ip addres of the VPN

2. when i use SIM => VPN is receiving the ip of the SIM

by anonymous

Finaly managed to function.

For now is on 192.168.1.0/24 and 192.168.100.0/24 => see troubleshoot file :)

https://community.teltonika-networks.com/?qa=blob&qa_blobid=15874181735674746336

now need to add more :) the 172.16.70.0/24 subnet, this is the next task. If all will function then i will buy new rutx :) becouse i need them ;)

after i will manage all i will make a step by step :) / or what i done to function :)

by anonymous

Hello,

Just to clarify, you'd like to reach this subnet over the VPN connection from the RUTX14?

Best regards,
DaumantasG

by anonymous

yes: 1 vpn 4 subnets

192.168.1.0/24

192.168.10.0/24

192.168.100.0/24

172.16.70.0/24

Then this will be universal for all of my machines :) so 1 connection and i can cover all.

by anonymous

Have you tried adding a static route like this?

Instead of LAN, select the network interface that you created for the VPN tunnel.

Best regards,
DaumantasG

by anonymous

with unicast,  => no functioning

by anonymous
Are other routes still reachable?

In the previous troubleshoot file I saw that the logs contained information about the network connecting and disconnecting multiple times. Is the VPN connection itself stable and working well? Perhaps something should be changed in the Netmaker settings to be able to reach this network?

  

Best regards,
DaumantasG
by anonymous

the engress: 192.168.1.0/24,192.168.100.0/24,172.16.70.0/24, alowed ip: 192.168.1.0/24,192.168.100.0/24,172.16.70.0/24

I managed to have function the subnets only 1 is not functioning the 172.16...

https://community.teltonika-networks.com/?qa=blob&qa_blobid=8305218764415086040

why is not routing to 172.16 ? 

Thank you for help

by anonymous
Update:

 all is running => need to take some time maybe to update the ARP ?  and also need for each machine to have a gateway set (ip of the LAN of the RUTX14)

need more testing but is already on a good way :)
by anonymous

update2:

 all running when is like IP ... when i change them to Profinet this is not passing tru.  when i direct connect to swich all ok. By VPN no. Don't know where is the problem ... need to investigate.

Update3:

finded something: "The tunnel should support opening the communication in both direction for Ethernet frametype 0x8892 for PROFINET and 0x8100 for the 802.11Q Virtual LAN type, otherwise it will not work." now need to find what is and how to ...

by anonymous
Hello,

Profinet IO data uses Layer 2 for communication, thus it will not work over a VPN like Wireguard, which operates on Layer 3. Profinet will be implemented into our upcoming switch, however, at the moment it is not supported.

EDIT: If Profinet TCP/IP is used, then it should be routable, but at the control level, usually L2 Profinet is used.

Best regards,
DaumantasG