FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
742 views 10 comments
by anonymous
I need to reach devices connected to the LAN of the RUT240. I have setup the VPN HUB and do not seem to have any trouble connecting it, however I am unable to reach any devices connected to the LAN. The LAN on my core Router is 10.100.1.0/24 and the LAN on the RUT240 is 10.101.1.5/24. I have attached the troubleshoot file and a drawing of the network. I need to be able to access the LAN when access through the normal core router is not available. Any help would be appreciated.

1 Answer

0 votes
by anonymous

Hello,

A few things:

  • Check if LAN forwarding is enabled in RMS VPN Hub -> Routes
  • It also seems that the RUT should be in the same network as the core router as they are interconnected via switch and seem to form a single network. Could you try changing the IP address on RUT to 10.100.1.5/24 ?
  • What is the default gateway on your end devices? In this case, you need to either put a RUT's IP address as the default gateway on the end devices, or add a static route on the end devices, such as 192.168.255.0/24 (VPN network) via 10.100.1.5 (ip address of RUT). 

Also, it seems like you could also consider VRRP in your topology, assuming the core router supports VRRP. This can be beneficial for redundancy purposes.

Let me know how it goes.

Kind Regards,

Andzej

by anonymous
  • LAN forwarding is Enabled
  • RUT Address is 10.101.1.5
  • Core Router is 10.101.1.1
  • Gateway on end devices is 10.101.1.1, This is the primary route for everything.
  • I am trying to create a way to reach end devices without going through the normal channels in order to have a means of troubleshooting the primary route. This Core router and the fiber circuit it is on has issues from time to time and I need a way of bypassing the Core router in order to troubleshoot.
  • I don't want a redundant path for all endpoints. Too much data! I just want a backdoor for trouble shooting.
by anonymous
Hi,

Likely the end device receives a packet from the RMS network, and since it does not have a route to it, it sends it via its default gateway i.e sends it to the core router. The core router does not have the route either, so it likely tries to send it via WAN.

Try adding a route on the end device to route 192.168.255.0/24 network via 10.101.1.5 (RUT). Or you can temporarily set the default gateway to 10.101.1.5 just for testing purposes and you can add the routes later on.

Kind Regards,

Andzej
by anonymous

That is kind of what I was thinking but the other end devices are pretty simple devices and do not have the ability to install static routes. Any other ideas on how to make this work?https://community.teltonika-networks.com/?qa=blob&qa_blobid=15860433180190138694

by anonymous

Hi,

On RUT240, you can try enabling LAN zone masquerading in Network -> Firewall (LAN => WAN). With masquerading on LAN, the end device will receive packets with source IP address of RUT240.

Alternatively, you can also try to configure a route on the core router to redirect 192.168.255.0 via RUT240.

Let me know how it goes.

Kind Regards,

Andzej

by anonymous

I tried the NAT rule but it doesn't seem to work either, if I got it right? I attached a screen shot from it for you to look at.https://community.teltonika-networks.com/?qa=blob&qa_blobid=5466939127214990999

by anonymous

Hi,

Sorry for the confusion. This is what I meant:

Let me know if it works.

Kind Regards,

Andzej

by anonymous

I have recently figured out what I thought would work and I am now able to ping the end device through the RMS VPN but it will not let me connect to the Web GUI of the end device. I have been looking for what may be blocking but have not found it yet.https://community.teltonika-networks.com/?qa=blob&qa_blobid=8856407629287112242

by anonymous

Hi,

Since you can ping the device, I assume the connectivity is there.

Could you check if you can reach the web interface of the end device via RMS Connect?

It can also be an MTU issue when using RMS VPN. Could you try editing the client's .ovpn file with Notepad or some other text editor, and try adding a tun-mtu option? For example:

  • tun-mtu 1360

Let me know if this helps.

Kind Regards,

Andzej

by anonymous
I was able to connect using the Remote Access in RMS. That's great, I didn't realize that was available. The MTU setting didn't help but I have solved the issue partially and I think it was my own doing. I wasn't aware we had a static route from my office router here to the core router at the remote site and when I connected the VPN it was creating a duplicate route to the remote site. I was able to disable the static route here at the office and all worked according to my original plan. Funny part is, that was what I was trying to do in the first place. The issue now though is that if the core router at the remote site is down neither device sees the gateway and now things don't work. Any Options you can think of?
by anonymous
Hello,

I assume the core router is the default gateway for all your devices, which is connected to the LAN port of RUT240 (maybe via switch). Now, when core router fails, the end devices do not have a gateway. Is that correct?

If I understood everything correctly, one of the options would be to connect the LAN port of the core router to WAN on RUT240. Of course, LAN and WAN networks on RUT240 would need to be on different subnets. By doing this, the end devices will utilize the RUT240 as their default gateway. The WAN connection on the RUT240 will serve as the primary connection, while the mobile connection will act as a backup (failover). Consequently, if the core router experiences a failure, the end devices will continue using the RUT240 as their default gateway, and the RUT240 will automatically switch to the mobile connection as the alternative route, bypassing the wired WAN through the core router.

This setup will provide failover functionality. However, if your intention is not to have the end devices utilize the mobile connection on the router, but rather to have a backdoor via RMS VPN, you can modify the firewall settings on the RUT240. Specifically, you would configure the firewall to drop packets originating from the LAN and destined for the mobile WAN. To achieve this, it is necessary to segregate the wired WAN and mobile connections into separate firewall zones, as they are grouped together in the default 'wan' zone by default. With this, traffic from the LAN to the wired WAN will be permitted, while traffic from the LAN to the mobile WAN will be blocked. Keep in mind that an RMS firewall zone is automatically created when you configure  RMS VPN Hub. So, even when the wired WAN is down, the mobile connection is active, and traffic from the LAN to the mobile WAN is dropped, you should still be able to access the end device over the RMS VPN.

Or, as I have already mentioned previously, you can try using VRRP.

Kind Regards,

Andzej