WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

OCPP protocol traffic isolation

0 votes
268 views 0 comments
by anonymous
Hi there,

I am trying to configure RUTX12 with two SIM cards. One SIM card will be only for OCPP/TCP and another for anything else (like internet), so is there a possibility to split traffic based on protocol? Just to mention that everything is installed on single PC.

If there were two PCs I could use advanced static routing, but this is not that case.

Thanks in advance!

1 Answer

0 votes
by anonymous

Hi, this should be possible with packet marking (firewall/iptables) and advanced routing rules (ip rule/ip route combination). Basic idea would be to mark packet in the prerouting chain (mangle table) with a custom mark and then force that packet to get routed via a different path (routing table) if mark is matched. I tested this on a generic Linux machine, but it should work all the same on Teltonika router.

<firewall part here>

1. Apply custom firewall rule in firewall settings (@firewall > custom rules). This step might be possible via traffic rules, but it was much easier to do via CLI:

iptables -t mangle -I PREROUTING -4 -d 1.2.3.4/32 -p tcp --dport 443 -j MARK --set-mark 0xABCD

Change destination host to whatever you desire. It'd be recommended to try and stick with specific destination hosts however.

Change TCP port to whichever destination port may be used for communication.

Mark can remain the same, no need to change it.

<routing part here @advanced static routing section>

2. Create new routing table with an ID of 50 (just an example). Configure static route for your host via your preferred egress interface (outgoing interface/host/netmask). This will be the interface that you might want to use exclusively for OCPP communication. 

You can add a default route here as well instead of specific target host, if you don't know which host you'll be reaching. Firewall marks and ip rule will control where packets will get routed.

3. Create routing rule with some arbitrary priority value, specify firewall mark that was entered in iptables rule and choose newly added routing table. You can also add destination subnet here if you want, but it isn't necessary, because ip rule will be matching marked packets anyway.

You can go even further and deny all outbound non-marked communication towards OCPP host via default routing table by using either prohibit/throw/blackhole static route rules or firewall rules, but this might not be needed, because all of the relevant packets will be marked and forwarded using specific routing table regardless.

If you run into some difficulties here please let me know, we should be able to get this PoC working, because the idea is pretty cool :)