RUT951, FW RUT9M_R_00.07.03.3
Hi - I have one of the RUT951, and I'm port forwarding from a VPN tunnel to an internal device. All looks good, traffic flows in, and Internal device can communicate out. All happy, so Forwarding rules are OK.
Where I'm stuck is the first 60 seconds of a new session. Let me explain.
note, all this is real time UDP - think a VoIP phone, however it's not SIP, it's just UDP traffic.
When a session is opened from inside the LAN (Host B), out to the VPN, port 5000 is opened. when the web endpoint (host A) responds, it replies on 5000. both ends can communicate in real time no problem.
Host A ------ ens Router tun ------ Host B
Start Packet:5000
Packet:5000
Route Packet
Packet:5000
Packet:5000
...
Reply Packet:5000
Packet:5000
Route Packet
Packet:5000
Packet:5000
All looks normal, but if it's the other way around..
Start Packet:5000
Packet:5000
Route Packet
Packet:5000
Packet:5000
...
Reply Packet:5000
Packet:5000
Route Packet
Packet:1234
Fail Packet
When a session is opened from the Web via the VPN, port 5000 is forwarded to the internal device. The internal device replies on 5000, but because the RUT951 remembers the inbound session on port 5000, it reforms the packet - sending via a random port to the web endpoint through the VPN tunnel. Because the port is mismatched, the web endpoint rejects the traffic.
after 60 seconds, the session closes, and we're back to either end able to reopen a session, and communicate again (in either of the two scenarios above).
tcpdump shows (yes, IP's have been replaced)
14:03:35.255453 ethertype IPv4, IP InternalIP.5000> webIP.5000: UDP, length 172 // initiate session from LAN > Web
14:03:35.255477 IP InternalIP.5000> webIP.5000: UDP, length 172 // forward to internal Ethernet devices
14:03:35.255503 IP InternalIP.5000> webIP.5000: UDP, length 172 // ..bridged interfaces, so duplicated
14:03:35.255644 IP VPNIP.5000 > webIP.5000: UDP, length 172 // send to web via vpn interface
14:03:39.159725 IP webIP.5000 > VPNIP.5000: UDP, length 172 // reply from web
14:03:39.159871 IP webIP.5000 >InternalDeviceIP.5000: UDP, length 172 // forward to internal Ethernet devices
14:03:39.159898 IP webIP.5000 >InternalDeviceIP.5000: UDP, length 172 // ..bridged interfaces, so duplicated
That all seems OK.
13:59:06.486520 IP webIP.5000 > VPNIP.5000: UDP, length 172 // initiate session from web > LAN
13:59:06.486693 IP Teltonika-RUT951.com.5000 > InternalDeviceIP.5000: UDP, length 172 // forward to internal Ethernet devices
13:59:06.486721 IP Teltonika-RUT951.com.5000 > InternalDeviceIP.5000: UDP, length 172 // ..bridged interfaces, so duplicated
13:59:10.466055 ethertype IPv4, IP InternalIP.5000 > webIP.5000: UDP, length 172 // reply
13:59:10.466078 IP InternalDeviceIP.5000 > webIP.5000: UDP, length 172 // forward to internal Ethernet devices
13:59:10.466103 IP InternalDeviceIP.5000 > webIP.5000: UDP, length 172 // ..bridged interfaces, so duplicated
13:59:10.466301 IP VPNIP.1234 > webIP.5000: UDP, length 172 // send to VPN on random port because 5000 is in use
NOW, this is much like SIP ALG - indeed, I've tried turning off the conntrack helpers, and disabling all of those, but to no avail.
If I could force the LAN side to open a session and keep it running, there would be no issue, but I can't guarantee that is always the case (and it definitely needs to be reliable).
Annoyingly, I had it behaving for a moment - all seemed fine, but then I got mixed up, and it's not working again, so it seems there is a solution - if I can find it.
And I've checked all on the VPN side - it sees one packet in, and forwards one packet straight through (to the correct destination). That side seems fine.
Kinda tearing out my hair here..