FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
519 views 3 comments
by anonymous
Hello,

I'm very new to Teltonika technology and could really do with some assistance with routing traffic via VPN!

I have a Teltonika RUTX50 with dynamic public IP which has a IPsec VPN to a Draytek router with static public IP.  The VPN is up and running.  Teltonika LAN IP 192.168.3.X, Draytek LAN IP 192.168.10.X

I'm using SIM 1 as my primary WAN and SIM 2 as failover (via SIM Switch)

So on the Teltonika router I have a VoIP phone that needs to present a static IP og the Draytek router to the VoIP server.  I need to root the VoIP phone over the VPN to the draytek which then roots to the VoIP server.

I am trying to route the traffic via Static Routing. I've tried LAN and mob1 interface, target IP I use VoIP server address (would be nice to use hostname and port 5060 if possible too), subnet mask I use 255.255.255.0 and IP Gateway  I have tried local LAN gateway (192.168.3.1) and the gateway on the draytek (192.168.10.1).

The Teltonika is running the latest version of firmware RUTX_R_00.07.04.3.

Any help would be greatly appreciated.

Thanks

Steve

1 Answer

0 votes
by anonymous
Hello,

  

As I understand, you'd like to utilize the public IP available on the Draytek router to reach the VoIP device connected to the RUTX50 over a VPN connection. If that is the case, then most of the configuration like port forwarding and routing needs to be done on the Draytek router. The only thing that needs to be configured on the RUTX device is the VPN tunnel and to make the LAN network of the RUTX reachable on Draytek.

Since you are using IPsec, you will need to specify the local subnet of the RUTX LAN network in the Local subnet field of the IPsec configuration, and on the Draytek, the same subnet should be specified as the remote network.

If you would like the outgoing calls to also go over the VPN, then enable the default route option in the connection settings of the IPsec instance. This way all of the traffic from the RUTX LAN will be router over the VPN. Keep in mind, that if the default route is enabled, the local and remote subnet fields will disappear, and on the Draytek, 0.0.0.0/0 should be specified as the remote network.

EDIT: However, it should be noted, that VoIP communication is very latency sensitive, thus I'd advise against using such a setup, as the service quality will not be very good.

  

Best regards,
DaumantasG
by anonymous

Hello Daumantas,

Thank you so much for all your help and information.  Please excuses my lack of knowledge and understanding with which I am trying to do!

I'm still unsure how to only route VoIP traffic from the RUTX to the VoIP server via the VPN and let all other traffic route out of the mobile WAN.  I have attached screenshots of my configurations in PDF docs.  Would you be kind enough to take a look and give me a little more guidance?  Also can you specify routing from the RUTX using port (5060) and hostname or can it only be IP address?

This is only for one VoIP per site and very little usage.

 

by anonymous

Hello Daumantas,

Sorry my screenshots never uploaded.  I have just tried again but i cannot send them via this message for some reason which is particularly frustrating!

by anonymous

Hi, static routes shouldn't be necessary in this case.

If you've configured typical split-tunnel IPsec then there should be no need to configure any additional routing rules, at least on Teltonika side. As long as IPsec tunnel is "up", the kernel will automatically route packets [with a destination IP of remote subnet] via IPsec tunnel, there is no need for any additional routing rules. You could verify this with command "ip route get 192.168.10.1" - the output of this command will show you which path Teltonika router will choose to get the packet to the destination IP address (which is 192.168.10.1 in this example).

Assuming you have to reach a device (VoIP server?) on Draytek LAN side, I'd first verify generic connectivity with ping via CLI. Since you've provided local/remote subnets, IPsec configuration on Teltonika side should be something like this:

  • local subnet - 192.168.3.0/24
  • remote subnet - 192.168.10.0/24

 Config ref here: https://wiki.teltonika-networks.com/view/RUTX50_VPN#General_Settings

If that's what you've got right now and IPsec tunnel is up (both phase 1 and phase 2), then the next step would be to verify whether the packets are going out to the Draytek device and then coming back from it (ping Draytek router LAN IP).
If not - try to login to Teltonika via CLI and issue "ipsec statusall" command, it should show you more information about the tunnel itself. That information may be useful for further troubleshooting, if there's an issue related to IPsec tunnel specifically.
If yes - try to ping VoIP server LAN IP address from Teltonika. If Draytek LAN IP did respond to pings, but VoIP server does not - verify if firewall rules on Draytek or VoIP server are not dropping/rejecting incoming or outgoing packets. This is one of the most common issues when it comes to connectivity via IPsec tunnels - firewall rules are missing on one end.

 In case basic connectivity between VoIP server and client becomes possible, you could try to setup something like DNS forwarder config on Teltonika to resolve some arbitrary hostname using specific DNS server, but I would advise to avoid this step for now.