We have a PPTP VPN setup on a RUT950 at one of our customer sites, which is used to remotely access some PC’s that have radio system management/monitoring software installed. Recently users have reported this is not working, or is working intermittently, and after some troubleshooting it appears the network you are connected to affects if the VPN will connect or not. As such, I am testing with an L2TP configuration instead, which I have setup as per RUT240 L2TP over IPsec (Windows 10) - Teltonika Networks Wiki (teltonika-networks.com). Note I have updated the firmware to the latest version as part of this troubleshooting.
The issue we are having is the L2TP VPN connects okay, but then I cannot get to the LAN or Internet, but can still access the router Web GUI. I found some posts stating to change the L2TP zone to accept in the firewall settings, eg as shown in the below screenshot, but I can’t see this as an option on our router, again screenshot below. If this seems like a fix to you, any idea how we can add that zone, or firewall rules that do the same thing?
I have replicated the topology you are attempting to use.
I have a RUT950 on firmware version RUT9_R_00.07.06.11 that is accessible via a WAN connection.
I have a remote PC attached via LAN cable to the RUT950.
And I am connecting via VPN on a Win 11 PC, where I am able to ping both the router Tunnel VPN IP and can RDP into the remote laptop via its LAN ip.
To check your RUT950 Firewall settings:
While logged into the WebUI. Click on the top right-hand side the 3 dots. Make sure to toggle to ‘Advanced’ & that you are not on ‘Basic’. This will show more configuration options through the whole WebUI, including the firewall settings we are looking for.
When you successfully configure L2TP it should automatically create the firewall rule you are looking for. If it did not create these rules for you, here is what they should look like.
On your computer please disconnect any other ethernet cable or wifi that you are not using to connect to the internet. When you have established VPN connectivity run the following commands in your terminal/CLI
ping 192.168.0.1 // In my example I set the RUT950 tunnel ip to 192.168.0.1. If you do not get a ping response then you cannot reach the RUT950 over your VPN tunnel.
tracert google.com // You should see the hop attempting to go out your VPN tunnel IP. If it is not then your computer may still be trying to route out another way.
If you wish to check against any of my other settings I used I will post them below.
L2TP:
Firstly, we are running a the Legacy WebUI (RUT9XX_R_00.06.09.5), do you know if it is possible for us to update to the newer UI so I can follow your steps more closely?
I do not have the option to switch to Advanced in the top right, any ideas how to do this on Legacy WebUI?
I can get to this menu okay, although it looks different.
The L2TP zone does not seem to have been created, and I cannot see it as an option under any of the zone settings eg (settings blanked out, just to show l2tp zone doesn’t exist).
• I am able to access the router Web GUI and manage the router using the L2TP VPN (I am in the office at the moment connected to the remote device to get these screenshots)
• My Internet connection drops as soon as the L2TP VPN connection is established
I have checked our settings against yours, although some are missing in our GUI they seem to be configured in the same way, only thing is we have both left and right firewall ticked, any ideas if this is correct?
Also, does the L2TP server and DHCP range need to be different from the routers subnet, eg we if the router was on 192.168.1.0/24, with DHCP set to .1 - .50, is it okay to set the L2TP VPN server as 192.168.1.201, DHCP set to .202 - .250?
Yes it is possible to upgrade from Legacy to our latest firmware, BUT there are a few caveats to check beforehand.
You must be at the latest Legacy firmware ahead of time. In your case you are already at the latest RUT9XX_R_00.06.09.5_WEBUI.bin
Login to your device → Status → System and check your Router model.
If your model is a RUT950G1**, firmware RUT9_R_00.07.00 and above are NOT supported. In which case you cannot update.
Some features are removed/replaced in the newer firmware version that was previously on the Legacy. Below is an image of those features. If it is not a problem for you, then you can update the firmware.
If upgrading is an option after performing your checks I would create a backup beforehand.
Login to your WebUI → System → Administration & create and download a backup.
Then I would proceed to update to the latest available firmware (at the time of writing this is RUT9_R_00.07.06.11_WEBUI.bin)
To answer your other questions:
The ‘Advanced’ I believe is only in the new firmware, so you should not have to worry about that in the older Legacy firmware. That was part of the UI overhaul in the newer versions.
If the L2TP zone is not being created that could be part of your problem not being able to connect properly. As I am not sure how traffic going through your tunnel is being treated in the firewall, because the L2TP zone should be dictating that interaction. It would have to be passed through one of the other zones instead to reach the device, but then does not have the correct rules to then reach out to the internet and pass it back through the tunnel to you.
That could explain why on your tracert you get a destination protocol unreachable only on the 2nd hop.
Both the Left & Right firewall settings under your IPSec could be an issue here.
In the image below you can see the Local Firewall, which is for the Left Side. This setting changes how the packet interacts with the firewall zone on the device itself. Since you do not have the L2TP zone created, and I am not sure which other zone your traffic is passing through, this could be an issue.
And since you are connecting on the right side with a Windows PC you do not need to worry about a firewall zone config there. I would only check this setting if for example you were connecting 2 RUT devices together that had their own firewall zones dealing with the traffic.
Technically it should be fine to be within the same subnet, as long as you are not overlapping IPs. BUT it would be good practice to have it on another subnet, like 192.168.2.0/24 instead, or a /26 if you want to limit your number of hosts.
You could run into other issues unintentionally, where you apply rules to the 192.168.1.0/24 that you only wanted to affect your local DHCP clients but not your VPN clients.
So I would also recommend changing your Network for your L2TP pool.
If possible I would refer to the beginning of my post to see if upgrading your firmware is a valid 1st step for you.
If it is not please let me know and I can provide more follow up information for the Legacy firmware.
It appears our device cannot be upgraded so we have decided to purchase a replacement device (RUT 956) which should hopefully make this config work as expected, will provide an update when I get this sorted if the post hasn’t closed by then. Will also change the network for the L2TP pool in the new config.
