Struggling with TRBO IP Site Connect over VPN

[radionx]

If BOTH sites are behind a CGNAT I see no chance to connect them directly. A router with a proper static IP would be needed which would interconnect these CGNATed nets.

For this, I'd recommend IPSEC, IKEv2.

I don't like L2TP, let alone PPTP.

A provider CGNAT will always interfere.

 

[Dax50]

If BOTH sites are behind a CGNAT I see no chance to connect them directly. A router with a proper static IP would be needed which would interconnect these CGNATed nets.

For this, I'd recommend IPSEC, IKEv2.

A provider CGNAT will always interfere.

Both router have a static IP in the Private WAN network. Pinging just works fine so CGNAT shouldn't be a problem

 

[radionx]

Both router have a static IP in the Private WAN network. Pinging just works fine so CGNAT shouldn't be a problem

Well, ICMP is another story...

By the way, what does a tracert between the two nets (WAN side) look like...?

 

[Dax50]

Well, ICMP is another story...

By the way, what does a tracert between the two nets look like...?

But what scared me, that the UDP packages are routed to the Network and the Port forwarding seems to be correct.

Maybe the repeater needs to be in One subnet.

 

[lynchy135]

But what scared me, that the UDP packages are routed to the Network and the Port forwarding seems to be correct.

With port forwarding enabled, do you see packets correctly getting to the master? Is the masters replies not getting to the peer?

 

[Dax50]

With port forwarding enabled, do you see packets correctly getting to the master? Is the masters replies not getting to the peer?

I posted the wireshark logs earlier.
I See Packages from the Master to the Peer and vice versa on both routers lan side.

 

[radionx]

I posted the wireshark logs earlier.
I See Packages from the Master to the Peer and vice versa on both routers lan side.

And a ping though this tunnel works ok?

 

[Dax50]

And a ping though this tunnel works ok?

Ping from Router to router works. But i cannot Ping the Device on the lan side because they are in another network😅

 

[radionx]

Is the distant net reflected in the routing table? What kind of router are you using?

 

[belvdr]

Ping from Router to router works. But i cannot Ping the Device on the lan side because they are in another network😅

But that’s what a VPN enables. Send over the routing tables.

 

[lynchy135]

But that’s what a VPN enables. Send over the routing tables.

This is not a traditional VPN. It more like private circuit (MPLS, T1, etc). All it is doing is allowing the two routers to connect to each other through the telco.

 

[belvdr]

This is not a traditional VPN. It more like private circuit (MPLS, T1, etc). All it is doing is allowing the two routers to connect to each other through the telco.

I am fully aware of that. It’s similar to MPLS. However if it is MPLS, then all you need are routes, no VPN.

If you’ve created an additional VPN on top of that, then you should be able to ping the private IPs.

Post the routing tables.

 

[Dax50]

This is not a traditional VPN. It more like private circuit (MPLS, T1, etc). All it is doing is allowing the two routers to connect to each other through the telco.

Exact this.

I am fully aware of that. It’s similar to MPLS. However if it is MPLS, then all you need are routes, no VPN.

If you’ve created an additional VPN on top of that, then you should be able to ping the private IPs.

Post the routing tables.

Now, unfortunately, I have to differentiate a little further.

On the peer side I use a Teltonika RUTX11. The access point to the "private circuit" is determined via the APN of the 4G. This means that nothing else is configured in the router.

The master side has no SIM card but is connected to the internet via a Fritzbox. To get access to the "private circuit", which is not accessible from the internet, an OpenVPN client is active. The ISP/operator of the "private circuit" provides an OpenVPN server within the "private circuit". On the master side I use a Teltonika RUTXR1. On this site the router route everything to the VPN Server with these push options on the client site:
redirect-gateway def1
dhcp-option DNS 192.168.1.1

 

[Dax50]

Forget my previous post

This is not a traditional VPN. It more like private circuit (MPLS, T1, etc). All it is doing is allowing the two routers to connect to each other through the telco.

Exact this.

I am fully aware of that. It’s similar to MPLS. However if it is MPLS, then all you need are routes, no VPN.

If you’ve created an additional VPN on top of that, then you should be able to ping the private IPs.

Post the routing tables.

Now, unfortunately, I have to differentiate a little further.

On the peer side I use a Teltonika RUTX11. The access point to the "private circuit" is determined via the APN of the 4G. This means that nothing else is configured in the router.

The master side has no SIM card but is connected to the internet via a Fritzbox. To get access to the "private circuit", which is not accessible from the internet, an OpenVPN client is active. The ISP/operator of the "private circuit" provides an OpenVPN server within the "private circuit". On the master side I use a Teltonika RUTXR1. On this site the router route not everything to the VPN Server.

Here is the master router and peer router routing.

 

[belvdr]

Can you modify the routes? If the operator is truly providing you with a private network, then you should only need routes on either side pointing to the other.

• Router 1
  • Add route for 192.168.178.0/24 with a gateway of 10.183.30.7
• Router 2
  • Add route for 192.168.1.0/24 with a gateway of 172.21.25.4

If the routers allow you to add these routes, then try pinging from a device in the 192.168.1.0/24 subnet to the 192.168.178.0/24 subnet.

 

[Dax50]

Can you modify the routes? If the operator is truly providing you with a private network, then you should only need routes on either side pointing to the other.

• Router 1
  • Add route for 192.168.178.0/24 with a gateway of 10.183.30.7
• Router 2
  • Add route for 192.168.1.0/24 with a gateway of 172.21.25.4

If the routers allow you to add these routes, then try pinging from a device in the 192.168.1.0/24 subnet to the 192.168.178.0/24 subnet.

I don't understand the 192.168.178.0/24 Network. The 178 Network is the LAN net of the fritzbox / wan network of the router 1

I think the way is this:

• Router 1 ("Master" Router behind the Fritzbox and with OpenVPN Client) has the LAN Net 192.168.1.0/24
  So i need a route: "route add 192.168.2.0 netmask 255.255.255.0 gw 10.183.30.7 dev br-lan"
  
• Router 2 ("Peer" with 4G direct orivate WAN access) has the LAN Net 192.168.2.0/24
  So i need a route: "route add 192.168.1.0 netmask 255.255.255.0 gw 172.21.25.4 dev br-lan"

But when i try to add the route in router 1 i get an error :-(

 

[belvdr]

I think your device should be the tunnel interface. Look at the other routes.

You have a lot going on with the telco and this VPN box. I believe you’re going to need someone with hands on the controls, who understands the underlying architecture. I’d be surprised if your telco couldn’t help you with this.

 

[radionx]

But that’s what a VPN enables. Send over the routing tables.

Something is off here...

I don't understand the 192.168.178.0/24 Network. The 178 Network is the LAN net of the fritzbox / wan network of the router 1

I think the way is this:

• Router 1 ("Master" Router behind the Fritzbox and with OpenVPN Client) has the LAN Net 192.168.1.0/24
  So i need a route: "route add 192.168.2.0 netmask 255.255.255.0 gw 10.183.30.7 dev br-lan"
  
• Router 2 ("Peer" with 4G direct orivate WAN access) has the LAN Net 192.168.2.0/24
  So i need a route: "route add 192.168.1.0 netmask 255.255.255.0 gw 172.21.25.4 dev br-lan"

But when i try to add the route in router 1 i get an error :-(

Do the logs on the routers show anything off?

 

[Dax50]

I think your device should be the tunnel interface. Look at the other routes.

You have a lot going on with the telco and this VPN box. I believe you’re going to need someone with hands on the controls, who understands the underlying architecture. I’d be surprised if your telco couldn’t help you with this.

Unfortunately, the telecommunications provider does not help. He says that you have to take care of it yourself. I think I have already achieved a lot and there is not much missing to successfully ping the system.

Something is off here...

Do the logs on the routers show anything off?

The router show the message which i get when i try to add the route by hand. I think there is a thinking error.

Interesting is, that the same happen when i try to add the route to the second router. Attached my try:

 

[Firebuff880]

the most common issue in this would likely be NAT maps between sites and between the IP Subnets of the end points

As I aid before you have a Network Translation Issue, I suspect that the Source and Target IPS are being rewritten in the packets by network Transversal (AKA: Nating a Nated packet). You need to resolve the connection so that the Master and the Peer are ONE hop away in the Virtual subnets. I would also go with a more conventional Router Firewall behind your ISP/Cellular connections. WatchGuard, pfSense, OpnSense, TailScale (WireGuard).