Firewall function

Annoyed · March 28, 2025, 12:01pm

I’ve just purchased an RUTM51 and installed it.

While HTTP and HTTPS both work fine, Wireguard and OpebVPN don’t.

This suggests to me that the router has some form of firewall function, and that it is blocking Wireguard and OpenVPN traffic.

I’m not interested in having the router try to emulate any kind of endpoint function, so is there an option in the configuration to disable any filtering, so that I can manage traffic filtering on my individual devices?

This issue has some urgency, as the RUTM51 is currently blocking my server traffic.

Annoyed · March 28, 2025, 1:09pm

I found what appears to be a solution here, but it seems to require root access.
The root password appears to be different to the admin password, so this hasn’t helped.

Annoyed · March 29, 2025, 6:09pm

Ok, I’ve managed to get SSH access as root working and I can now see the file system on the router. Now I have a different problem.

The system uses Iptables (which is helpful as I also use Iptables on my devices). However, the Iptables commands seem to be spread between multiple files.
I don’t see anything obviously constituting a rule set.

I want to add the equivalent of…

iptables -I INPUT -j ACCEPT
iptables -I FORWARD -j ACCEPT

It seems that no-one from Teltonika browses this forum and I’ve received no response to my request for assistance on their UK web site, so is anyone within the community able to offer advice on this?

flebourse · March 29, 2025, 8:45pm

Hello,

Edit /etc/config/firewall change the value of option input and option forward to ACCEPT.

config defaults '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        ...
config zone '3'                                 
        option name 'wan'                          
        option output 'ACCEPT'                  
        option mtu_fix '0'                      
        option network 'wan wan6 mob1s1a1 mob1s2a1'
        option input 'ACCEPT'                   
        option forward 'ACCEPT'                 
        option port_scan '0'

and restart the firewall: /etc/init/firewall restart
Or via the UI go to Network->Firewall->Zone set wan=>lan to ACCEPT / ACCEPT / ACCEPT.

Regards,

Annoyed · March 30, 2025, 2:48pm

Thanks for your help, but that made no difference.

I’ve tried the “save and apply” option, soft reboot and hard reboot and functionality has not improved.

I can’t check what the router thinks it’s doing as I can find no syslog (or anything else which might be similar in /var/log).

I’m currently operating an EE router and the Teltonika router side-by-side and when I change to the EE router everything works fine.

As I’ve had no response from Teltonika, I think I’ll have to contact the vendor tomorrow (Monday).

PS: I’ve also tried the

iptables -I INPUT -j ACCEPT
iptables -I FORWARD -j ACCEPT
measures and even
/etc/init.d/firewall stop
but they haven’t changed the router’s behaviour.

flebourse · March 30, 2025, 3:37pm

You can access the logs with logread or logread -f
What is the output of:

iptables -n -L
iptables -t nat -n -L

Annoyed · March 30, 2025, 4:02pm

iptables -n -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all – 0.0.0.0/0 0.0.0.0/0 match-set ipb_port_dest src,dst,dst
DROP all – 0.0.0.0/0 0.0.0.0/0 match-set ipb_port src,dst
DROP all – 0.0.0.0/0 0.0.0.0/0 match-set ipb_mac src
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 /* !fw3 /
input_rule all – 0.0.0.0/0 0.0.0.0/0 / !fw3: Custom input rule chain /
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED / !fw3 /
syn_flood tcp – 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 / !fw3 /
zone_lan_input all – 0.0.0.0/0 0.0.0.0/0 / !fw3 /
zone_wan_input all – 0.0.0.0/0 0.0.0.0/0 / !fw3 /
zone_wan_input all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all – 0.0.0.0/0 0.0.0.0/0 match-set ipb_port_dest src,dst,dst
DROP all – 0.0.0.0/0 0.0.0.0/0 match-set ipb_port src,dst
DROP all – 0.0.0.0/0 0.0.0.0/0 match-set ipb_mac src
forwarding_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom forwarding rule chain /
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3: IPsec bypass for offloading / policy match dir in pol ipsec
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3: IPsec bypass for offloading / policy match dir out pol ipsec
FLOWOFFLOAD all – 0.0.0.0/0 0.0.0.0/0 / !fw3: Traffic offloading / FLOWOFFLOAD hw
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED / !fw3 /
zone_lan_forward all – 0.0.0.0/0 0.0.0.0/0 / !fw3 /
zone_wan_forward all – 0.0.0.0/0 0.0.0.0/0 / !fw3 /
zone_wan_forward all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 /* !fw3 /
output_rule all – 0.0.0.0/0 0.0.0.0/0 / !fw3: Custom output rule chain /
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED / !fw3 /
zone_lan_output all – 0.0.0.0/0 0.0.0.0/0 / !fw3 /
zone_wan_output all – 0.0.0.0/0 0.0.0.0/0 / !fw3 /
zone_wan_output all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain forwarding_lan_rule (1 references)
target prot opt source destination

Chain forwarding_rule (1 references)
target prot opt source destination

Chain forwarding_wan_rule (1 references)
target prot opt source destination

Chain input_lan_rule (1 references)
target prot opt source destination

Chain input_rule (1 references)
target prot opt source destination

Chain input_wan_rule (1 references)
target prot opt source destination

Chain output_lan_rule (1 references)
target prot opt source destination

Chain output_rule (1 references)
target prot opt source destination

Chain output_wan_rule (1 references)
target prot opt source destination

Chain reject (0 references)
target prot opt source destination
REJECT tcp – 0.0.0.0/0 0.0.0.0/0 /* !fw3 / reject-with tcp-reset
REJECT all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0 limit: avg 25/sec burst 50 /* !fw3 /
DROP all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 /* !fw3 */

Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan forwarding rule chain /
zone_wan_dest_ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3: Zone lan to wan forwarding policy /
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate DNAT / !fw3: Accept port forwards /
zone_lan_dest_ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan input rule chain /
ACCEPT udp – 0.0.0.0/0 224.0.0.251 udp spt:5353 dpt:5353 / !fw3: Allow-mDNS /
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate DNAT / !fw3: Accept port redirections /
zone_lan_src_ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan output rule chain /
zone_lan_dest_ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
target prot opt source destination
DROP all – 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage /
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3 /
DROP all – 0.0.0.0/0 0.0.0.0/0 ctstate INVALID / !fw3: Prevent NAT leakage /
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain zone_wan_forward (2 references)
target prot opt source destination
forwarding_wan_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan forwarding rule chain /
zone_lan_dest_ACCEPT esp – 0.0.0.0/0 0.0.0.0/0 / !fw3: Allow-IPSec-ESP /
zone_lan_dest_ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:500 / !fw3: Allow-ISAKMP /
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate DNAT / !fw3: Accept port forwards /
zone_wan_dest_ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain zone_wan_input (2 references)
target prot opt source destination
input_wan_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan input rule chain /
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:68 / !fw3: Allow-DHCP-Renew /
ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0 icmptype 8 / !fw3: Allow-Ping /
ACCEPT 2 – 0.0.0.0/0 0.0.0.0/0 / !fw3: Allow-IGMP /
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate DNAT / !fw3: Accept port redirections /
zone_wan_src_ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain zone_wan_output (2 references)
target prot opt source destination
output_wan_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan output rule chain /
zone_wan_dest_ACCEPT all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain zone_wan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 /
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED / !fw3 */

Annoyed · March 30, 2025, 4:05pm

iptables -t nat -n -L

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
prerouting_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain /
zone_lan_prerouting all – 0.0.0.0/0 0.0.0.0/0 / !fw3 /
zone_wan_prerouting all – 0.0.0.0/0 0.0.0.0/0 / !fw3 /
zone_wan_prerouting all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
postrouting_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain /
zone_lan_postrouting all – 0.0.0.0/0 0.0.0.0/0 / !fw3 /
zone_wan_postrouting all – 0.0.0.0/0 0.0.0.0/0 / !fw3 /
zone_wan_postrouting all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain postrouting_lan_rule (1 references)
target prot opt source destination

Chain postrouting_rule (1 references)
target prot opt source destination

Chain postrouting_wan_rule (1 references)
target prot opt source destination

Chain prerouting_lan_rule (1 references)
target prot opt source destination

Chain prerouting_rule (1 references)
target prot opt source destination

Chain prerouting_wan_rule (1 references)
target prot opt source destination

Chain zone_lan_postrouting (1 references)
target prot opt source destination
postrouting_lan_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */

Chain zone_lan_prerouting (1 references)
target prot opt source destination
prerouting_lan_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */

Chain zone_wan_postrouting (2 references)
target prot opt source destination
postrouting_wan_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain /
MASQUERADE all – 0.0.0.0/0 0.0.0.0/0 / !fw3 */

Chain zone_wan_prerouting (2 references)
target prot opt source destination
prerouting_wan_rule all – 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */

flebourse · March 30, 2025, 4:11pm

Execute a iptables -F. Does it work after that ?

Annoyed · March 30, 2025, 4:19pm

No, no change.

flebourse · March 30, 2025, 5:02pm

That’s really mysterious.
Chose a port you want to forward (51820 ?) do a

tcpdump -i any -n -v 'port 51820'

and try to build a wg tunnel. Do you see something on the tcpdump output ?

Annoyed · March 30, 2025, 5:16pm

I used my WireGuard device. I’ve replaced a potentially sensitive IP with ‘nnn’ below.

Ouput of tcpdump -i any -n -v ‘port 51820’ was …

15:14:06.629687 lan2 In IP (tos 0x0, ttl 64, id 43433, offset 0, flags [none], proto UDP (17), length 60)
192.168.1.178.47830 > nnn.nnn.nnn.nnn.51820: UDP, length 32

15:14:06.629687 br-lan In IP (tos 0x0, ttl 64, id 43433, offset 0, flags [none], proto UDP (17), length 60)
192.168.1.178.47830 > nnn.nnn.nnn.nnn.51820: UDP, length 32

15:14:33.254888 lan2 In IP (tos 0x0, ttl 64, id 45678, offset 0, flags [none], proto UDP (17), length 60)
192.168.1.178.47830 > nnn.nnn.nnn.nnn.51820: UDP, length 32

15:14:33.254888 br-lan In IP (tos 0x0, ttl 64, id 45678, offset 0, flags [none], proto UDP (17), length 60)
192.168.1.178.47830 > nnn.nnn.nnn.nnn.51820: UDP, length 32

flebourse · March 30, 2025, 5:19pm

This nnn address is it a public one ? Nothing comes back from it.

Annoyed · March 30, 2025, 5:54pm

Yes, I rent a public facing server (for DNS purposes). I’m behind CGNAT, so can’t have a fixed IP. I use a tunnel between the public IP and my local server.

I didn’t want to reveal the address on this public forum.

flebourse · March 30, 2025, 6:00pm

Sure, that’s not the question. But apparently it doesn’t reply to sollicitations on the port 51820.
What is this local server ? Can you make a drawing of your network
Have you enabled masquerading on the wan=>lan zone ?

Annoyed · March 30, 2025, 6:12pm

It may help if I reiterate the situation.

Until Friday, I was using an EE 4G Mobile Broadband connection. Everything was fine.
I used web traffic and email for personal purposes, WireGuard for my server and OpenVPN for the VPN service on my workstation (from Mullvad btw).
There did not appear to be any packet filtering on the EE router, as all traffic traversed the router without incident or any intervention on my part.

Recently, EE rolled out 5G to my location. I order a 5G Data SIM from them. Rather than take EE’s 5G router (no external antenna), I opted and an external antenna/router package from a UK supplier. It’s a Poynting antenna and a Teltonika router.

What I’m trying to explain is that the only changes are the antenna, the router and the 5G Data SIM.

I can certain discuss my internal topology, but surely that fault lies with one of the items which has changed?
I can send/receive web and email (although slower than I expected), it is only WireGuard and OpenVPN which have stopped working.

Annoyed · March 30, 2025, 6:28pm

I should add that, currently, I have two infrastructures next to each other.

One is the existing EE router with active 4G Data SIM.
The other is the Teltonika router with the 5G Data SIM.

With all devices plugged into the EE router, all is well.

If I unplug my ethernet cables from the EE router and plug them into the Teltonika router, all WireGuard and OpenVPN traffic is blocked, although web and email traffic are fine.

flebourse · March 30, 2025, 6:31pm

I am still unsure where is the wireguard server and how do you reach it. Is it on the public facing machine you have mentioned above ?

Annoyed · March 30, 2025, 6:42pm

I rent a public-facing server from a commercial hosting company.

I need to get traffic from that server to my location.
As I’m behind CGNAT, I can’t get a fixed IP address.

Therefore, I establish a tunnel between the server at my location and the public-facing server.

This requires WireGuard traffic to be able to pass between the public server and the server at my location.

This works with my EE router, but not with my Teltonika router.

flebourse · March 30, 2025, 6:50pm

So the public server is the responder for wireguard, and your local server is the initiator.
From the tcpdump output above:

15:14:33.254888 br-lan In IP (tos 0x0, ttl 64, id 45678, offset 0, flags [none], proto UDP (17), length 60)
192.168.1.178.47830 > nnn.nnn.nnn.nnn.51820: UDP, length 32

This seems to be a routing issue not a firewall one the wg frame isn’t output anywhere.
What are the output of:

ip -4 route show
ip -4 rule show