After setting up an RMS VPN Hub and connecting a RUT241 as a device client, the VPN tunnel establishes successfully but no traffic is forwarded from the VPN tunnel to the LAN interface. Devices on the LAN (in my case a Siemens S7-1200 PLC) are completely unreachable through the VPN, even though the tunnel is up, the RMS hub shows both client and device connected, and the firewall zone configuration appears correct in the WebUI.
The root cause is that the auto-created firewall zone rms_ojrRP4g has no covered network/interface assigned to it. The tunnel interface tun_c_ojrRP4g exists and is operational, but was never bound to the zone during RMS auto-provisioning.
——-
That was a short review written by Claude, with it’s help I was able to connect my PLC via RUT241. It took a couple of hours with trying and testing. I am not networking savvy enough to be able to solve this, honestly if it weren’t for AI I don’t think I would solve this. I would probably try with different version of firmware.
It’s s a pity such bugs happen, anytime I try to establish a new connection there is some setting/issue, the first module I received actually had a bad power supply… And you think your settings are wrong or something that it just disconnects.
Anyway, it now connects. I had Claude write an extensive report of what was done (honestly it is gibberish to me), but it is a very long report and probably has some private information. I can share it directly with Teltonika hotline if there is such wish.
Could you please share the solution that helped you resolve this issue? It may be beneficial for other community members facing a similar situation.
I attempted to replicate the issue on my end, but was unable to do so. After creating a VPN hub, the zone appeared as expected, and I only needed to enable masquerading under Firewall → Zones .
Could you also let me know if there was any prior configuration on the device that might have interfered with this behavior?
The zone does appear, but the Covered networks field inside the zone is empty — no interface is assigned. The tun device (tun_c_FUpNp8a) exists and is UP, and UCI shows device='tun_c_FUpNp8a' in the zone config, but the WebUI dropdown doesn’t list the tun interface as a selectable option. Masquerading was already enabled on the zone — that alone didn’t fix it.
To resolve the issue with accessing LAN devices through RMS VPN Hub, please apply the configuration directly in RMS and the router firewall, as the issue is related to missing routing/forwarding configuration rather than firewall persistence.
Please follow these steps:
Enable LAN forwarding in RMS VPN Hub
In the RMS Portal:
Open VPN Hub
Select the relevant device
Enable LAN forwarding
This allows VPN clients to access networks behind the router.
Add LAN route in RMS
In the same VPN Hub configuration:
Go to Routes
Add the LAN subnet behind the router (e.g. 192.168.255.0/24)
Assign it to the correct device
This ensures the VPN Hub knows which network is reachable through the router.
Check firewall zone on the router
On the router WebUI:
Go to Network → Firewall → Zones
Locate the RMS/VPN-related zone
Ensure that:
Forwarding from VPN zone → LAN is enabled
Masquerading is enabled
Apply configuration
Save and apply changes on both RMS and router
Re-test connectivity to LAN devices
Important note: This issue does not require cron jobs or manual iptables rules. Those workarounds are typically used when firewall integration is incomplete, but in a correct RMS VPN Hub setup, routing and firewall forwarding should handle this natively.
