Portforward to IPSEC net

I try to do a port forwarding from my rut951 thru a ipsec tunnel that is set up in the router.
If iam on the local network i can use paping to the network service, i have done the portforwarding to the ipaddress of the remote ipsec net address but it dont work externaly. do i need extra arguments?

My local network is


Our IPsec implementation does not use virtual network interfaces, thus port forwarding will not work for remote access. Instead, the remote and local IP addresses need to be added to the IPsec configuration:

Where the Local subnet will be the LAN of RUT951 (in your case and any other networks on the RUT951, and Remote subnet will be LAN (and any other network IP) reachable from the other side of the tunnel. Keep in mind, that these subnets need to be added on both sides of the tunnel.
Another thing to keep in mind, is that by default, the WebUI of RUT951 will not be reachable from the other side of the tunnel. In order to reach it, you will need to configure a traffic rule (Network → Firewall → Traffic Rules) that would look like so:

And in the Advanced settings, the Extra arguments field should contain the following argument:

-m policy --dir in --pol ipsec


If you’re still experiencing issues with reaching the remote subnet, please attach the screenshots of your configuration with the sensitive details removed.

Best regards,

Hi, Thank you for the replay but i have the ipsec set up and working . i need to recive data on port 18100 on the teltonika router and forward in the ipsec to an network service on the other end, as diagram below i have this set up on Conel routers but i want to start using teltonika routers.

When i ping the service fron the lan on the teltonika router i get replay, but it dont work with the portforwarding to the ipsec tunnel


IPsec will not be the best VPN to use for this use case, but we can still try configuring it. Assuming the “Incoming data on Port 18100” is on the WAN side, you can try editing your first rule to forward the traffic to the WAN zone, as that is where IPsec is considered to be in (currently no destination zone is chosen). is the datacenter IP address, correct?

Best regards,


That’s right it is on the WAN side, Yes, is the datacenters ipadress .
I tried to change the forwarding zone to WAN Zone but its did not work.

Best regards Robin

This topic was automatically closed after 15 days. New replies are no longer allowed.