Firewall rule from LAN2 -> VPN -> LAN1 | How to configure?

Hi,

we have a working and routed network accross a VPN connection, ping from 192.168.1.100 to 192.168.88.5 works as expected.

But now I need to open udp/40000 from 192.168.88.5 to 192.168.1.100 and I can’t get it working.

It must be a firewall problem, because I can see the incoming traffic with
tcpdump -i br-lan host 192.168.88.5 on br-lan
but not outgoing on the tun_c_VPN interface (saw both for the icmp traffic).

How can I configure this?
Whats wrong in my setup?

RUTX_R_00.07.06.1

Hello,

Right now you’re trying to allow traffic from LAN port 40000 to any zone’s port 40000, it seems your current rule isn’t working. Likely, the traffic isn’t coming from the LAN zone or port 40000.

To fix this, consider simplifying your rule to allow traffic from any zone (or specific ones you choose) to the device with IP 192.168.88.5 on port 40000.

Additionally, in the zones setting, change “Forwards” to “Accept” instead of “Reject” in the OpenVPN → LAN section. To let traffic from the OpenVPn zone to the Lan network.

Best regards,

Marijus

@Marijus ,
thanks for your reply.

Maybe I’m wrong, but this rule looks like to me from somewhere to device 192.168.88.5
192.168.1.100 can reach device 192.168.88.5, communication works as expected.

My problem is device 192.168.88.5 (LAN2) must start a udp/40000 connection to 192.168.100 (LAN1),
this doesn’t work.

Saw the packages incoming on br-lan, but not outgoing on the vpn interface.

At the end I need following setup:
LAN1 → openvpn → LAN2 allow all
LAN2 → openvpn → LAN1 udp/40000
LAN2 all traffic elsewhere blocked (also wan)

Any idea whats wrong in my setup?

Hi,

It appears you’re trying to open a port on the wrong device. Port opening rules for 192.168.1.100 should be configured on another router, not the Teltonika one. Please refer to the documentation of your other router or contact their support for guidance.

Kind regards,

Marijus

No that is not the problem since the traffic is not visible on the RUTX08
VPN interface (outgoing) nor incoming on the other router (10.5.2.1).

tcpdump direct on the RUTX08:
LAN1 → openvpn → LAN2
allow all => see the traffic
*LAN2 → openvpn → LAN1 udp/40000 => see the traffic on br-lan but not on tun_c_VPN

Verify my tcpdump is working with a ICMP from 192.168.1.100 → 192.168.88.5.

Any idea?

Hi,

Is your VLAN set up correctly? Does the ping from 192.168.88.5 to 192.168.1.100 work at all?

No VLAN, the RUTX08 is on “default” LAN settings and ICMP from 192.168.1.100 to 192.168.88.5 works fine.

Can not test this because 192.168.88.5 is a industrial device without webgui or terminal.
But since I can see the ping is working we can not have any VLAN/routing issue.

I see also on br-lan the industrial device try to connect to 192.168.1.100 udp/40000,
but this traffic never leave the tun_c_VPN interface of the RUTX08.

For some reason the RUTX08 block the traffic.

Hi,

Could you please check if the RUTX08 can successfully ping 192.168.1.100? If the ping is successful, you can proceed to enable masquerading in the LAN zone.

1 Like

Masquerading was the problem, since it was enabled from [openvpn → lan].

The initial request was from LAN1 [lan → openvpn] and the industrial device open the connection not to 192.168.1.100 because the masquerading. That’s why I don’t see the traffic outgoing on the VPN interface…

@Marijus thank you for the help!

This topic was automatically closed after 15 days. New replies are no longer allowed.