This RUTX50 Router is connected as Open VPN Client to our Firewall (VPN-Server).
Problem:
From Firewall LAN I cannot reacht the RUTX50 LAN.
Scenario:
LAN RUTX50: 192.168.4.0/24
VPN: 192.168.5.0/24
Firewall LAN: 192.168.6.0/24
Me: 192.168.6.5
Firewall: LAN 192.168.6.1 & VPN 192.168.5.1
RUTX: LAN 192.168.4.1 & VPN 192.168.5.2
I’m in the LAN of the Firewall.
I can ping the VPN-Client (RUTX50) via 192.168.5.2
I cannot ping the LAN of RUTX50 via 192.168.4.1
I see our firewall (192.168.6.1) → the routing and firewall rule accepts ICMP going over VPN.
Firewall Rule → Traffic from 192.168.4.0/24 over VPN into LAN (192.168.5.0/24) is allowed
Question:
How can I reach from Firewall LAN the RUTX LAN?
How can I see logs, what ip packages are blocked from firewall?
Thanks for help - hope information is good to understand
in my trial and testing today, no firewall, the plc IP connected to router lan cannot be pinged in PC, however from router web server under troubleshooting, I can ping smoothly the PLC IP. I hope that can help us with regards to this problem
You mentioned that the firewall isn’t Teltonika Networks-based, so the specific model and manufacturer are unknown in this context. Can you provide the manufacturer and model of the Firewall?
2. Routing Between Firewall LAN and RUTX LAN
To enable communication between the Firewall LAN and the RUTX LAN, you need to configure routing. If you’re using Teltonika Networks devices (like the RUTX series) as OpenVPN servers, they will automatically create the necessary routes when you set up OpenVPN clients. This means that if you’re using Teltonika’s OpenVPN server, routing happens automatically once the OpenVPN clients are configured.
Since you are not using Teltonika Networks devices as the OpenVPN server, you will need to refer to the firewall’s documentation for OpenVPN configuration to manually set up routing between the two networks.
3. Checking Blocked IP Packages in the Firewall Logs
To see which IP packets are being blocked by your firewall, you can use the following tools:
tcpdump: This command lets you monitor packets in real-time, helping to identify accepted and denied packets, both inbound and outbound. You can capture these packets to file and analyze them later using tools like Wireshark.
iptables: To see what rules are being applied by the firewall, use the command iptables -L -v -n
This will show you the rules and how many packets were affected by each rule.
Keep in mind that these tools are accessed via the Command Line Interface (CLI), not the WebUI, so you’ll need to interpret the output from the terminal.
4. Checking Firewall Traffic Rules on the RUTX50
Please follow the steps below to check if there is a firewall rule that allows you to move from OpenVPN to LAN of RUTX50.
Go to: Network > Firewall > Traffic Rules in the WebUI.
Verify that there is an Allow-Ping rule that permits traffic from the OpenVPN source zone to the LAN destination zone. This will allow pings to pass through.
Reference at our wiki: Please take a look at our wiki for more information about Firewall traffic rules - Teltonika Networks Wiki.
Take a look at the image below that presents how the rule should look like. (Click to enlarge)
For more detailed assistance, please share the OpenVPN configurations of Server and Client (please avoid sharing sensitive information such as passwords or private keys) so we can provide specific advice.
Let me know if you need any further clarification or help!
The Firewall is pfSense and it’s hosting a VPN - Server. The firewall is virtualized.
2. Routing Between Firewall LAN and RUTX LAN
I checked the routing I configured in the VPN-Server the Site-to-Site Topology. So the Server creates the routing itself, if I add a remote network (in my case 192.168.4.0/24 from the RUTX50 LAN).
Upon reviewing your OpenVPN server routing configuration, I noticed that traffic destined for 192.168.4.0 is routed from 172.29.194.2 rather than through the OpenVPN interface. Please update the gateway to use the correct VPN interface and verify whether this resolves the issue.
Additionally, I observed that while your firewall allows outgoing pings directly from its own IP address, it does not permit them from the firewall LAN. You may want to review this configuration as well.
Please let me know if these steps help resolve the issue or if further assistance is needed.
