Unfortunately, I have come up against several hurdles in the configuration of two RUT956 routers. After many hours of configuration attempts and corresponding research, I would be very grateful for support, as there are obviously some important points that are unclear to me.
For a quicker explanation of the configuration I want, I have attached a corresponding diagram as an image.
If the configuration I am looking for with the RUT956 routers (and its configuration options) is possible at all in this form (I would be very happy to receive answers on this alone), I would first have the following questions:
since no public IPv4 addresses are assigned in the 4G network in Germany (4G routers cannot be reached from outside via IPv4), I would like to use IPv6 (corresponding option with fixed IPv6 address is activated/booked in the LTE contract (Deutsche Telekom)). Here I need help for the correct, corresponding configuration of the routers
Can the RUT956 route its RS232 connection between two routers through a Wireguard VPN tunnel? What is the correct configuration here (the general Wireguard configuration is known)?
Unfortunately, my first hurdle here is a direct connection between the two routers via IPv6, which does not work. My lack of IPv6 knowledge is probably the main problem here.
I really hope for your help. Many thanks in advance!
Instead of IPv6 simpler to use VPN service. Regarding the RS232 stuff, some custom coding required. I.e. to simply tunnel serial data via VPN to partner. But this depends upon complexity of RS232 comms. As VPN, you might use tailscale, which is based on wireguard.
Thank you for your suggestion.
An external VPN server/provider such as Tailscale is unfortunately not an option (data protection requirement of the IT department). The direct connection of the routers is also desired, as this is a time-critical application (the lowest possible latencies are required).
I use IPv6 wireguard tunnels so this must be doable if you have at least one fixed public IPv6 address or a public but not static one you can put in a ddns.
On the “server” side:
make sure your operator routes incoming udp packets to the mobile interface,
open a port (51820/udp by default) on the firewall. For that go to Network->Firewall->Traffic rules, add a rule to allow 51820/udp from wan wan6 mob1s1a1 to the local device. The rule will be something like:
config rule '61'
option src 'wan'
option name 'Allow-51820'
option target 'ACCEPT'
option priority '17'
list dest_port '51820'
list proto 'udp'
option enabled '1'
create a wg interface generate a key pair set the IP address in one of the private ranges (172.16.1.1/24 will do), set Listen port to 51820 and MTU to 1280
add a peer, this is similar to a IPv4 one with Allowed IPs set to 172.16.1.2/32 + the lan network of the client,
check the created firewall zone set wirreguard=>lan to Accept/Accept/Accept and disable masquerading.
On the “initiator” side:
set a /etc/hosts entry for the remote if it is truly fixed else use the dyndns entry of the server,
create a wg interface similar to the one above,
add a peer with IP address 172.16.1.2/24 Allowed IPs=172.16.1.0/24 + lan net of the server
set the Endpoint host to the name or IPv6 address of the server,
the parameters of the firewall zone are the same as those on the server.
