Device: Teltonika OTD500 Firmware: OTD5_R_00.07.18.3 (Build date 2025-10-28) Topology summary: One firewall with a single physical WAN port. Managed switch in front. Two mobile routers provide two Internet uplinks (WAN1 = VLAN 3, WAN2 = VLAN 4). VLAN 2 is for management to reach the switch and OTD500
Goal
Use OTD500 to replace one of the old mobile routers.
Keep the existing design where the firewall’s single WAN port carries:
VLAN 3 = WAN1 (public IP to firewall)
VLAN 4 = WAN2 (public IP to firewall)
VLAN 2 = management
On the switch:
Port 5 (to firewall WAN): VLAN 2/3/4 tagged.
Port 1 (to the old router OTD500 replaces): that old router could send bridge WAN on VLAN 3 (tagged) and VLAN 2(tagged) for management.
Port 4 (to the other mobile router): VLAN 4 untagged (that device does not support VLAN tags).
This setup has worked for years.
Issue 1 — OTD500 with VLANs: public IP always lands on VLAN 2
What I need: OTD500 to provide the public IP to the firewall on VLAN 3 (like the old router), and management on VLAN 2.
What happens with OTD500:
Tried Passthrough and Bridge modes.
Tried binding the firewall WAN MAC in Passthrough and also without binding.
Switched the switch port toward OTD500 between tagged VLAN 3 and untagged access VLAN 3 (since it seems OTD500 cannot transmit WAN on a VLAN tag itself).
In all cases, if the public IP gets assigned at all it goes to the firewall’s VLAN 2 sub-interface, never to VLAN 3.
Issue 2 — IPsec S2S does not establish through OTD500 (Passthrough or Bridge)
EDIT: This one is solved.
Issue 3 — Inbound WireGuard doesn’t reach LAN server
For clarification purposes, could you please provide a drawn topology of your desired/current network configuration, with the IP addresses (non-public ones, of course) included?
Could you also clarify, whether you have any VLANs setup on the OTD500 itself? I believe that the VLAN configuration (at least the bigger part of it) must be done on the switch itself, not the OTD500, but just to be sure, the topology would help me out a lot in figuring this out properly.
Mobile router2
Bridge mode. Gives Public IP to one connected device
Switch settings:
VLAN2: static IP 192.168.188.3/24
Firewall settings:
VLAN2: static ip 192.168.188.1/24
VLAN3: DHCP (should get Public IP from OTD500)
VLAN4: DHCP (gets Public IP from mobile router2)
This should be pretty straightforward but havent figured it out yet. Im used to set mobile routers to bridge mode and disable pretty much everything else possible if needed.
On OTD500 you have to keep DHCP on even if you use passthrough / bridge?
I can’t take any more screenshots because I’ve removed the VLAN settings from the OTD500 device.
I couldn’t figure out the correct logic for how to assign a specific VLAN to the WAN interface — or where exactly that should have been done. Could you explain how that’s supposed to be configured?
I ended up solving it another way: I noticed that the OTD500 device can still be accessed via a static IP address, even when the WAN interface is set to bridge mode (this is pretty unusual). So I moved my second mobile router to the firewall’s LAN2 zone and created a separate external VLAN network under it.
In practice, I now have a virtual second WAN port on the firewall — even though there’s only one physical WAN port.
Regarding setting up a VLAN on the WAN interface, you would, as usual, create a new VLAN instance under the VLAN settings, and then you’d head to Network → WAN and press “Edit” on the WAN interface. Finally, you’d go to the “Physical settings” tab and assign the new VLAN interface to your WAN. More info can be found in these Wiki pages:
There should be a couple more, but you can find those in our Wiki, depending on what you need.
