Teltonika RUT-240 / RUT-950 poor wifi client performance (fix!)

I use a couple of Teltonika RUT-240 and RUT-950 routers. One of them I bring with me when I travel. To save 4G data I usually hook it up as a wifi client against the hotel wifi.

After a while I realized the performance was really poor with a lot of packet loss and loosing connection completely from time to time. I moved the router so the signal was good (about 90%) but still had problems.

When configuring the wifi client failover, I set interval to 60, track ip to three different adresses (8.8.8.8, 8.8.4.4 and 1.1.1.1), reliabilty 1, count 10, up 3, down 3. This is to make sure that there is time enough to click through the hotel’s wifi portal page (before that you don’t have internet connectivity and ping will fail).

When I scan for a new network, I look for the access point with the strongest signal and copy the BSSID (8 hex numbers separated with colon). In hotels there are often several access points for the same network name and sometimes my router seems to be switch between them. In the wireless configuration screen I paste the BSSID in the BSSID field for the network I am connecting to, making sure I always connect to the strongest one.

While I’ve been travelling, I have been a bit lazy and just left different hotel’s wifi in the configured network list (I might return some day I thought). However, this seems to be bogging down the router. After I clearead the list of old wifi client configurations, my router became much faster and the connection was now really stable.

pfSense port forward to a NAT:ed IP-address located on the other side of a ipsec tunnel

This is kind of a special scenario but actually occured for me. A port on the pfSense WAN should be NAT:ed to an IP-address located on a remote subnet via an ipsec tunnel. The problem here was the router on the other end of the tunnel did not route all it’s outgoing traffic over the tunnel. Only a few subnets behind the pfSense went through the tunnel. All other traffic was using the routers normal Internet connection.

In the image above, a port (123 in the example code below) on the pfSense (100.1.1.1) should be NAT:ed and port forwarded to 10.0.0.7. The result was the NAT:ed port forwarded packets reached the intended host (10.0.0.7) but replies probably went straight back on the internet, not going back through the tunnel.

I solved this by setting up a simple proxy on a server using iptables located on a machine in one of the subnets at the pfSense site which was reachable from 10.0.0.7 through the tunnel. See next image.

The proxy was made using iptables in a Ubuntu machine on 10.2.2.2. Both the proxy server on 10.2.2.2 and the host 10.0.0.7 could reach each other over the ipsec tunnel.

In pfSense I changed the NAT / port forward of port 123 from 10.0.0.7 to 10.2.2.2 (and deleted the existing states in pfsense from my previous tries, until I did that, this didn’t work).

The proxy server using IP-tables was set up like this (guide found here):

sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -t nat -A PREROUTING -i ens160 -p udp --dport 123 -j DNAT --to 10.0.0.7
sudo iptables -t nat -A POSTROUTING -o ens160 -p udp --dport 123 -j SNAT --to-source 10.2.2.2
sudo iptables -t nat -A POSTROUTING -p udp --sport 123 -j SNAT --to-source 10.2.2.2

You will probably want to make sysctl ip_forward and iptables statements persistent over reboots.

Devolo Magic 2 wifi

Stable powerline connection on Devolo Magic 2 wifi mesh

Devolo Magic 2 wifi is a series of products made to create a mesh wifi network in your home with multiple wifi accesspoints connected to the router over the powerline network. It can sometimes be difficult to obtain a reliable, stable connection of the powerline as noise in the powerline can interfere.

This is how I make it as stable as possible.

  • Do not connect the powerline adapter via an extension cord. It should be connected directly to the outlet.
  • Try to find outlets as close to the fuse box as possible. Especially for the unit connected to the router, because this unit will need to communicate well with all other units on the network.
  • If possible, connect the units to outlets that belongs to the same phase. Even though connection over different phases should be possible, it gives lower throughput and more unreliable connection.
  • If possible, use grounded outlets only. This will make it possible for the device to use MIMO technology instead of instead of SISO. MIMO gives higher throughput and is more reliable. Screenshots: SISO mode (left) compared to MIMO mode (right).
    SISO mode MIMO mode
  • In the powerline configuration, deselecting Automatic compatibility mode (recommended) * and choosing VDSL 17a (default) seems to be most reliable for me. (In automatic mode the unit sometimes gets very poor connection and needs to be rebooted in my case.)
  • The kit came with one router unit and two client units. After a while I was moving things around and for a while I was only going to need coverage where one of the client units where located so I disconnected the other. Now, the wifi connection became very unstable for the clients, even though they were very close to the remaining unit. I just reconnected the disconnected Devolo unit and voila – the wifi connection became much more stable. Is it built into the design that there should be at least two Devolo units up and running?

Powerline ethernet and RFI

As an active radio amatuer (aka “ham”), I am very keen on using equipment that are not causing radio interference (RFI). The Devolo units seems to stay well out of amatuer radio shortwave bands, but on citizens band (CB, or 27 MHz), that is not the case. Heavy RFI can be heard on the 27 MHz band.

Powerline ethernet / home plug and amateur radio

The above statement concerns listingening on the shortwave. If you are a ham or radio amateur transmitting on the shortwave bands you probably should just forget powerline ethernet / home plug systems. My Devolo just died with a 100% packet loss when I was transmitting on 20, 40 or 80 meter bands. In my case, I had to get rid of the powerline ethernet system and installed a ethernet twisted pair network using shielded twisted pair cables (SFTP) grounding all ends of the cables. Well worth the trouble and the noise levels actually decreased overall when doing this.

Automatic restart of IPSec VPN on Teltonika RUT-950 / RUT-240

On one location where I am using a Teltonika RUT-950 / RUT-240 router, the IPSec VPN can only be connected in one direction which is outbound. Normally both ends can initiate the connection. The reason for this is that the router is connecting using 3G/4G and the provider only allows outbound traffic (i.e. “surf the Internet”). I need to buy an extra service for “fixed IP-address” in order to get their firewall removed from my service.

My IPSec VPN setup is based on hostname updated through dynamic DNS. If the router reboots, it will get a new IP-address and sometimes the router tries to connect the VPN before the dynamic DNS has been updated, causing the VPN connection to fail. The router gives up and does not try anymore to connect the VPN. A manual workaround is to remote control a computer on the LAN side of the router, login to the router, disable the VPN profile, save, enable it and save again. Now the VPN connects.

The Teltonika products are wonderful in many ways but I lack a way of restarting IPSec VPN via SMS. It is only possible to restart OpenVPN connections using SMS.

To avoid manual actions to get the VPN up in a case like this I have created a small script. It checks if an IP-address on the other side of the tunnel is ping:able, if not it restarts IPSec VPN and it normally resolves the problem.

  • Log in to the Teltonika RUT-950 / RUT-240 using CLI or SSH.
  • Create a script in /root/chk_vpn.sh with the following content, or you can dowload it with wget from CLI or SSH:
    wget http://heltech.se/filer/chk_vpn.sh

#!/bin/ash
# chmod +x chk_vpn.sh
# crontab -e -> */6 * * * * /root/chk_vpn.sh
HOST=10.0.0.1

LANIP=/sbin/ifconfig br-lan | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'
# Email settings
ROUTERNAME="MY ROUTER NAME"
EMAIL_SUBJECT="$ROUTERNAME: VPN restart"
EMAIL_BODY="$ROUTERNAME $LANIP: Ping $HOST failed, trying to restart VPN (date)"
EMAIL_FROM="senders.email@gmail.com"
EMAIL_TO="recipients.email@gmail.lt"
EMAIL_USER="senders.email@gmail.com"
EMAIL_PASS="MYEMAILACCOUNTPASSWORD"
EMAIL_SERVER="smtp.gmail.com"
EMAIL_PORT="587"
#
if ping -I $LANIP -c5 $HOST > /dev/null; then
  logger "chk_vpn.sh: $HOST responded; VPN is up!"
else
  logger "chk_vpn.sh: $HOST did not respond; trying to restart VPN"

echo -e "subject:$EMAIL_SUBJECT\nfrom:$EMAIL_FROM\n$EMAIL_BODY" | sendmail -v -H "exec openssl s_client -quiet -connect $EMAIL_SERVER:$EMAIL_PORT -tls1 -starttls smtp" -f $EMAIL_FROM -au"$EMAIL_USER" -ap"$EMAIL_PASS" $EMAIL_TO
  /usr/sbin/ipsec restart
fi

(The date in the code above should be in back aphostrophes but our WP editor removes it)

  • Edit the file chk_vpn.sh and replace the IP-adress on the HOST= line to an IP-address on the other side of the tunnel that you know should be up at all times and responds only when the IPSec VPN is up, for example the LAN interface of the other router.
    Change all lines regarding email to your email server’s settings and credentials.
  • chmod +x chk_vpn.sh
  • Check from the router’s CLI or SSH that you can ping the IP-address (if you mistakenly enter an IP-address that doesn’t respond to ping even thought IPSec VPN is up, your VPN will be disrupted 10 times per hour).
    You must use ping -I 192.168.0.1 10.0.0.1 where 192.168.0.1 should be replaced with your router’s LAN interface IP-address and 10.0.0.1 replaced with the ping:able IP-address on the other side of the tunnel.
  • Test the script by running it from CLI or SSH and verify that it can ping the host on the other side of the tunnel by entering the command: ./chk_vpn.sh and then go to System -> Administration -> Troubleshoot -> Show syslog and look for the chk_vpn.sh line (probably last row)
  • Edit the crontab by entering the command crontab -e and add the following line:

*/6 * * * * /root/chk_vpn.sh

  • Exit vi (ESC then :wq and enter)

This will check the VPN connection 10 times per hour and if necessary restart it.

Edit: 5 october 2022: Added LANIP as source

Cisco RV160 IPv6 configuration

This is how I configured IPv6 address received dynamically from my ISP. This is not to be confused with using a 6to4 tunnel service which is something completely different. In this case, a real IPv6 address is received using DHCP6 or SLAAC from the ISP.

In this setup the IPv6 LAN side is bridged with the IPv6 WAN side, so the LAN subnet is a part of the larger WAN subnet. Firewall rules will apply even though it is a bridged, not routed setup.

  1. Go to WAN -> WAN settings -> IPv6 Settings and select DHCP, check DHCP-PD and enter “0” for Prefix name. Apply.
  2. Go to Status and Statistics -> IPv6 tab and verify that you get a IPv6 address from your provider (starting with 2a02 in my case).
    Cisco RV160 IPv6
  3. Go to LAN -> VLAN Settings and select vlan 1, click edit button.
    Cisco RV160 IPv6
    In the IPv6 sections, select prefix from WAN 0, in my case address beginning with 2a02 and /48 size.
    Enter 0 for suffix, 64 for prefix length, leave DHCP Type disabled. Apply.
  4. Go to LAN -> Router advertisment and click Enable, select Unicast, do not select Managed or Other. Make sure the IPv6 prefix is visible in the Prefix table.

Done.

Config Cisco Nexus L3 vlan routing IPv6

Config Cisco Nexus L3 vlan routing IPv6

This is a simple how to make a nexus switch L3 routeing and the connected access switches still on L2 switching. If you have a router connected between internet and the router switch. Make shure you have a static route configured to the two vlan network.

Router Switch

no system default interface-vlan autostate (brings up the vlan)

conf t

vlan 10  (creates vlan 10 L2)

name Servers vlan 10

exit

vlan 20 (creates vlan 20 L2)

name Servers vlan 20

exit

feature interface-vlan  (Converts L2 vlan 10 to L3 vlan 10)

interface vlan 10

ipv6 address 2001:db8::/50

no ip redirects

exit

feature interface-vlan  (Converts L2 vlan 20 to L3 vlan 20)

interface vlan 20

ipv6 address 2001db8:0:4000::/50

no ip redirects

exit

interface ethernet 1/1 (creates tagged vlan port to access sw1)

description To Access Sw1

switchport

switchport mode trunk

no shutdown

exit

interface ethernet 1/2 (creates tagegd vlan port to access sw1)

description to Access Sw2

switchport

switchport mode trunk

no shutdown

exit

interface ethernet 1/3 (Creates the link network port)

description to Internet

no switchport

ipv6 address 2001:db8:1000:8000::1/64

no shutdown

exit

ipv6 route ::  2001:db8:1000:8000::2 (makes default router to next hop router)

copy running-config startup-config

Access Sw1

conf t

vlan 10 (creates vlan 10 L2)

name Servers vlan 10

exit

vlan 20 (creates vlan 20 L2)

name Servers vlan 20

exit

interface ethernet 1/1 (creates tagged vlan port to Router switch)

description To Router Switch

switchport

switchport mode trunk

no shutdown

exit

interface ethernet 1/2 (creates untagged vlan 10 port to servers)

description Access vlan 10

switchport

switchport mode access vlan 10

no shutdown

exit

interface ethernet 1/3 (creates untagged vlan 20 port to servers)

description  Access vlan 20

switchport

switchport mode access vlan  20

no shutdown

exit

copy running-config startup-config

Access Sw2

conf t

vlan 10 (creates vlan 10 L2)

name Servers vlan 10

exit

vlan 20 (creates vlan 10 L2)

name Servers vlan 20

exit

interface ethernet 1/1 (creates tagged vlan port to Router switch)

description To Router Switch

switchport

switchport mode trunk

no shutdown

exit

interface ethernet 1/2 (creates untagged vlan 10 port to servers)

description Access vlan 10

switchport

switchport mode access vlan 10

no shutdown

exit

interface ethernet 1/3 (creates untagged vlan 20 port to servers)

description  Access vlan 20

switchport

switchport mode access vlan  20

no shutdown

exit

copy running-config startup-config

Config Cisco Nexus L3 vlan routing IPv4

This is a simple how to make a nexus switch L3 routeing and the connected access switches still on L2 switching. If you have a router connected between internet and the router switch. Make shure you have a static route configured to the two vlan network.

Router Switch

no system default interface-vlan autostate (brings up the vlan)

conf t

vlan 10  (creates vlan 10 L2)

name Servers vlan 10

exit

vlan 20 (creates vlan 20 L2)

name Servers vlan 20

exit

feature interface-vlan  (Converts L2 vlan 10 to L3 vlan 10)

interface vlan 10
ip address 1.1.1.1/24
no ip redirects

exit

feature interface-vlan  (Converts L2 vlan 20 to L3 vlan 20)
interface vlan 20
ip address 2.2.2.2/24
no ip redirects

exit

interface ethernet 1/1 (creates tagged vlan port to access sw1)
  description To Access Sw1
switchport 
switchport mode trunk
  no shutdown

exit

interface ethernet 1/2 (creates tagegd vlan port to access sw1)
  description to Access Sw2
switchport 
switchport mode trunk
no shutdown

exit

interface ethernet 1/3 (Creates the link network port)
description to Internet
no switchport
ip address 3.3.3.1/30
no shutdown

exit

ip route 0.0.0.0 0.0.0.0 3.3.3.2 (makes default router to next hop router)

copy running-config startup-config

Access Sw1

conf t

vlan 10 (creates vlan 10 L2)

name Servers vlan 10

exit

vlan 20 (creates vlan 20 L2)

name Servers vlan 20

exit

interface ethernet 1/1 (creates tagged vlan port to Router switch)
description To Router Switch
switchport 
switchport mode trunk
no shutdown

exit

interface ethernet 1/2 (creates untagged vlan 10 port to servers)
description Access vlan 10
switchport 
switchport mode access vlan 10
no shutdown

exit

interface ethernet 1/3 (creates untagged vlan 20 port to servers)
description  Access vlan 20
switchport 
switchport mode access vlan  20
no shutdown

exit

copy running-config startup-config

Access Sw2

conf t

vlan 10 (creates vlan 10 L2)

name Servers vlan 10

exit

vlan 20 (creates vlan 10 L2)

name Servers vlan 20

exit

interface ethernet 1/1 (creates tagged vlan port to Router switch)
description To Router Switch
switchport 
switchport mode trunk
no shutdown

exit

interface ethernet 1/2 (creates untagged vlan 10 port to servers)
description Access vlan 10
switchport 
switchport mode access vlan 10
no shutdown

exit

interface ethernet 1/3 (creates untagged vlan 20 port to servers)
description  Access vlan 20
switchport 
switchport mode access vlan  20
no shutdown

exit

copy running-config startup-config

pfsense IPsec phase 1 disable rekey

pfsense IPsec VPN tunnel disconnects after 8 hours

I’ve been troubled by the annoying disconnection of the IPsec VPN tunnel on a pfsense firewall. The tunnel disconnects after about 8 hours.

The solution in my case was to enable “Disable rekey” which “Disables renegotiation when a connection is about to expire.“. The setting is found under Phase 1 advanced settings.

Disable rekey setting under Phase 1 Advanced settings