Problem
Remote access to the WebUI of a Teltonika router was set up but was denied by the router with the message "Forbidden Rejected request from RFC1918 IP to public server address".
Cause
If the SIM card used in the router receives an IP address from the subnet 100.x.x.x, such as with
- Conexa SIM
- KPN SIM (SIMPro) → after KPN Mobile Core Migration
- 'mdex EASY SIM' (mCOP) → after KPN Mobile Core Migration
the RFC1918 filter of the Teltonika router categorises these as public IP addresses and refuses remote access if the remote access is initiated from a private sender IP address.
Which remote accesses are affected?
If one of the VPN tunnels listed below is used, remote access takes place with a private sender IP address, which is why it is rejected by the router’s RFC1918 filter:
- WL Connect Tunnel / SSL VPN
- WL OpenVPN
- WL IPsec VPN
-
mdex Control station device
Which remote accesses are unrestricted?
Remote accesses via web.direct or the DevicePro SIM Tunnel are unrestricted, as a public IP address is used as the sender here.
If the SIM card is reachable via a public IP address (public IP) from the internet, remote access also takes place with a public sender IP address and is unrestricted.
Solution
Teltonika routers preconfigured by Wireless Logic mdex and shipped from November 2023 have the RFC1918 filter (option 'Ignore private IPs on public interface') disabled, allowing unrestricted remote access via all VPN tunnels.
If remote access is denied with the above-mentioned "Forbidden" message, the RFC1918 filter in the Teltonika router must be disabled:
- Log in to the router; see also Local Access to the Router Web Interface (WebUI)
- Go to System -> Administration -> Access Control
- In the WebUI section, disable the following option depending on the firmware version used:
From RutOS7 Firmware R_00.07.10:
Click 'Edit' on the desired service, e.g. HTTPS:
To disable the RFC1918 filter, set the option 'Ignore private IPs on public interface' to 'off':
Up to RutOS7 Firmware R_00.07.09:
To disable the RFC1918 filter, set the option 'Ignore private IPs on public interface' to 'off':
Legacy Firmware:
Disable the option 'RFC1918 Filter':
- Scroll down and click 'Save & Apply'.
- Remote access to the router’s WebUI should now be possible.