I am currently evaluating the Conel LR77 v2 router for my customer, and so far I am very impressed. This is the first mobile router I have seen for LTE (4G) that has support for IPSEC VPN.
This is description of a problem i have found then accessing devices behind the router over a VPN connection.
It all started when I tried to send a printout to a IP printer behind the LR77 router and it failed. I also tried to access the printers web interface, but that also failed. The printer was however reachable using ICMP ping.
First I suspected that there where some general errors initiating TCP sessions from the other side of the VPN tunnel, but that was not the problem. There is a bug in the iptables configuration in the router.
There is a function in the router configuration to allow or disallow remote management:
I had disabled all unencrypted management functions from the WAN site of the router, and this option will result in the following IPTABLES configuration:
The last tree lines are the “removed checkboxes” in the LAN setup page in the web GUI. The problem is that these lines do not only block access on the WAN interface, they also drop traffic from the IPSEC tunnel to the LAN interface on the specified ports. And UDP port 161 is used by TCP/IP printing.
Well, that’s about the problem. Is there a workaround? One option would be to enable all remote management ports again, but that did not seem very pleasing.
Luckily the Conel router gives you a lot of power. There is an option to add scripts to run whenever the router boot up.
The following script will add rows to the napt chain to allow traffic from all my local networks, I have a number of 192.168.x.0/24 networks.
The result looks like this:
I do not claim to be a iptables expert, so I give you no warranty what so ever on this solution. All I know is that this gives you the possibility to access your stuff on the LAN. Do not blame me if this opens up some other security problems.