FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
282 views 3 comments
by anonymous

I sucessfully established a network configuratiion (https://community.teltonika-networks.com/56872/acces-devices-camera-from-devices-second-using-rutx12-rutx08) with two seperated networks (Thanks for the great help!)

1) ScienceNet: RUTX12 for Internet, 192.168.115.x with 2 VLANS 1 is the ScienceNet at 192.168.115.x and the second connects with 192.168.10.x. The TUTX12 serves as gateway at 192.168.10.1 and 192.168.115.1

2) NaviNet: RUTX07 contains Navigation Chartplotter and radar system of a ship, connects via a sepaerated, The RUTX08 serves as DHCP on 192.168.10.2.

I was able by the aboce mentioned coinfiguration to seperate the newtorks but allow internet acces from the NaviNet. However I also established acces from NaviNet to 3 IP Cameras providing Images from the Mast, the bow and the stem by applyig appropriate Firewall settings.

Howver, I figured out that I also need acces from the ScienceNet to the Main Chartplotter on 192.168.10.10 from the two computers at 192.168.115.10 and 192.168.115.20. I tried a similar firewall like for the cameras.

  •  Network -> Firewall -> Traffic rules. Add anew instance of Add new forward rule type. Arrach a name to it, set Source zone as ScienceNet and Destination zone as NaviNet.
  • In a rule configuration window add PC as source
But in this direction the connections did not worked.
Does this is caused by the routing tables I used to split the two networks?
Has somebody an idea how to solve this issue? I think it is just a small error ...
Best
Hannes

(

1 Answer

0 votes
by anonymous

Hi,

It is a bit unclear what traffic splitting you have configured. Using an additional routing table to manage access to different VLANs should not be necessary. Unless I am missing something here.

I would suggest taking a look at our wiki article here which describes how to configure a firewall for inter-zone communication. However, in your case, it seems that you want more control over what devices should be able to communicate. For this, you can use firewall traffic rules.

Is my understanding correct that when you remove the network splitting configuration (via an additional routing table), then everything works and all the devices can communicate?

If it is working and all devices can communicate, then, you can set the VLAN Firewall zone to block traffic (reject forwarding - refer to the article I have linked), and then configure a firewall traffic rule to accept traffic only from the specified IP addresses and zone, to the specified IP and zone. You can specify multiple IP addresses in one rule. This way, packets that match the traffic rule will be accepted and forwarded, while other packets will not match the rule and will be rejected.

In case you encounter any issues, it would be great if you could provide a topology to better understand your scenario. Also, a troubleshoot file from both devices to better understand your current configuration.

Kind Regards,

Andzej

by anonymous

Hi Andzej,

thanks for the fast reply. I attach an image with the topology below.
For several reasons both networks should be working independantly. The 192.168.10.X ist the network for navigation on a ship and the other network is used for PCs, video, ROV, .... everything what is not security relevant.

The Rutx12 provide Internet with the dual LTE modems for both networks.

The VLAN on RUTX12 is port based with eth0 for 192.168.115.x and eth1 for 192.168.10.X

The RUTX12 is the DHCP of the 192.168.115X and the RUTX8 the DHCP server of 192.168.10.X In the Interface configuration of the 192.168.10.X network on the RUTX12 the RUTX12 is working as DHCP relay.

At the end traffic from 192.168.115.X and 192.168.10.X is only allowed towards the Internet with no communication.
However single device are allowed to have certain TCP connections.
For example the Chartplotters (192.168.10.10 and.20 and.30) are allowed to communicate with the IP Cameras at 192.168.115.50 .51 and.52. This is done by a traffic rule allowing TCP traffic from 192.168.10.X to 192.168.115.50.

The network share on 192.168.115.1 (a SSD Drive made avaulable by the RUTX12) is also available.

However, it is not possible to reach the 192.168.10.10 by a Computer in the 192.168.115.x network. I tried with a similar traffic rule.
TCP traffic from 192.168.115.x is allowed to 192.168.10.10.

Now my guess was the splitting as described here: https://wiki.teltonika-networks.com/view/Splitting_Network_Traffic_Via_Multiple_Interfaces

But it might be that the splitting via the routing tables would not even be necessary if I understand you right.
Therefore I will try the next days your firewall configuration example and deactivate the traffic routes.
I think it woull take some days as we have some running projects and I need to pick a day with a bit of time before I deactivate the network

Thank you very much!

If it helps I can provide the Router configuration files for the RUTX8 and the RUTX12...

Best Hannes

by anonymous

Hi,

Thanks for the information. It is helpful.

Could you check a few things on RUTX12?

I assume that your current firewall zone configurations do not allow traffic to pass from the ScienceNet zone (the LAN zone with the IP range of 192.168.115.0/24) to the NaviNet zone (the VLAN zone that you created for the 192.168.10.2 interface). 

So firstly, to allow only specific PCs, you need to have a traffic rule. In Network -> Firewall -> Traffic rules, please ensure that there is a rule allowing traffic from the PCs in the ScienceNet zone to the necessary IP addresses in the NaviNet zone.

For the source IP addresses, specify the IP addresses of the PCs in the 192.168.115.0/24 network. You may also add the desired destination addresses in the 192.168.10.0/24 network.

Secondly, could you check that your RUTX12 has a route to the 192.168.10.0/24 network via 192.168.10.1? (if you added a route via a second routing table in Advanced Static Routes, the route will not be shown).

You can connect to your router via SSH/CLI and execute:

  • ip route show

or

  • route -n

There should be a route to 192.168.10/24 via 192.168.10.1.

If the route is not listed, you can add a static route to 192.168.10.0 255.255.255.0 via the 192.168.10.1 gateway in Network -> Routing -> Static routes.

In case this does not help, could you please provide troubleshoot files and I will take a look at your configurations?

Kind Regards,

Andzej

by anonymous
Hi,

thanks it feels like the static route might be my problem.
I will try when I am on the ship again and drop a note!

Best

Hannes