RUT901: RMS VPN: I can ping device (RUT) but not end device (PLC)

Hi

I’m testing a RUT901 before placing it in the customer’s place.

Info:

  • My RUT IP: 192.168.100.1
  • My Schneider PLC: static IP 192.168.100.3, lan connected
  • My windows 11 machine, when connected to RUT: IP gotten through DHCP, wireless connected

In this local configuration:

  • I can ping myself through the assigned IP
  • I can ping the RUT through 192.168.100.1 and access its config page through HTTP.
  • I can ping the PLC through 192.168.100.3

I added the device (RUT) to https://rms.teltonika-networks.com/ and I’m using RMS VPN → VPN hubs

Followed the steps on video https://www.youtube.com/watch?v=dfAudZR2wPY

In this RMS VPN configuration:

  • I can ping myself through the open vpn assigned IP
  • I can ping the RUT through 192.168.100.10 and access its config page through HTTP. This IP was the one that is shown in General / Sessions
  • I CAN NOT ping the PLC through 192.168.100.3

Following another post’s suggestion, I logged into the RUT device config page, headed to Network → Firewall → Zones and set the Masquerading option in “lan⇒wan” to ON. For some reason it was OFF. In the other zones it was already ON.

Still can’t ping the PLC through 192.168.100.3. What am I doing wrong? Thank you!

Screenshots:

![RMS_VPN-VPN_hubs-MINE-1-General-Sessions|690x205 (upload://x86ipls7ygTMhl9SvIJB93P4dp4.png)

Hello,

Here’s the issue:

You have set up a route directly to the 100.3 device via the /32 netmask. Instead, your route should be:

192.168.100.0 / 255.255.255.0 / via RUT901

This will cover the entire 100.0 subnet and will allow you to ping any devices under it.

Please delete your current route, add the route I’ve described above, give your hub a restart after doing so, and test again.

Regards,

M.

Hi MatasR. Thanks for your reply.

I followed the video steps, where they demo how to use the RMS / VPN to access a camera. Very similar to my scenario. And it worked in the video.

Basically in the router section, I selected the automatic discover of end devices. They presented all found, I clicked the one I’m interested in (the PLC 192.168.100.3), and selected ADD. It created that route for me.

The automatically created route made sense to me, as with the netmask 255.255.255.255 (ie, all /32 bits reserved for the host), I thought I basically were only opening the desired host. No need to open up all the 255 range of addresses, as with a 255.255.255.0 net mask.

Anyway, I’ll try your suggestion (I don’t have access to the route right now).

Could you (or someone else) explain if my thought process was correct or why it isn’t? How to open access to just one end device / host?

Actually, after reviewing your initial query again, I would like to apologize, as I prioritized answering quickly.

A thing I’ve noticed is that you’ve changed the default VPN server configuration:

By default, the Virtual Network IP address is 192.168.255.0, we don’t usually change this at all, and technically speaking, it shouldn’t cause issues either, but I believe this would cause an IP conflict between your LAN (which is also 192.168.100.0/24) and the server address, which, you’ve set to the same LAN.

When it comes to your questions, you did everything like it was supposed to be done, no issues whatsoever, changing from a direct IP to the entire subnet is just good practice if there’s a need to add more than a single device, or even reaching the RUT + the end device without having to create multiple routes.

Regards,

M.

Hi MatasR. Thanks again for your reply and for noticing the change I had made to the Virtual Network IP address. I had done that in “desperation”. Changed back to 192.168.255.0, but no success solving the problem.

Also changed the route:

As expected, the new virtual addresses, as displayed in the sessions are now based on this value:

(btw, I noticed in the original post I uploaded the wrong screenshot for sessions)

As before, I can ping and access the device (RUT) config page, through the IP shown in the sessions: now through 192.168.255.10 instead of 192.168.100.10 as was before. I also don’t understand why it is 192.168.xxx.10 and not 192.168.xxx.1. What if I wanted to access the .10 end device?

Nevertheless, I just can ping myself (192.168.255.6) and the router (192.168.255.10). Not the PLC (expected it would be 192.168.255.3).

Any suggestions? Should I change some configurations in the router config pages?
I’m using openvpn software, and using the ovpn file downloaded from my RMS user. Should I try to use the built-in vpn from windows 11? Would it help? (nevertheless, I’m currently able to access the router page through 192.168.255.10…).

Also strange is that pinging 192.168.255.4 gives “Destination host unreachable.” instead of “Request timed out.”. Tested pinging several addresses (from .1 to .25) and besides .6 (me) and .10 (router) that work ok, all gave “Request timed out.” error, except the .4 that gave “Destination host unreachable.”.

Any suggestions? Any way to “debug” where the problem / problems are?

Thanks.

Hello,

I’ve sent you a form to fill out so we can continue our conversation in private, to avoid accidentally leaking any sensitive information. In the Ticket ID field, simply enter the thread’s number, which is **14911**.

Thank you,
M.

Hi. Just filled and submitted the form. Will this now create a ticket, accessible through a different place?
Just fyi, I’ll be on vacation (for one week) without computer, starting this Sunday.
Thank you.

Yep, communication continues through e-mails. Have a nice vacation!

Regards,

M.

Hi

So, can you follow up by email?
What should I do now?

Thank you.

Hi,

Have you tried adding the RMS zone to the LAN – > Wan

I had a similar problem and this is worked for me.

Kind Regards,

GV