Description:

Operating LTA on a LANCOM router (LCOS) requires the use of two gateways; one as a dedicated LTA gateway and one to provide Internet access. This is because the automatically created firewall rules for LTA access use the routing tag of the accessible network (usually the INTRANET with routing tag 1). However, this makes it impossible to communicate with other networks because they use other routing tags.

To enable communication in other networks, the automatically created firewall rules must be set with the correct routing tags. This has to be implemented by an Add-in script.

This article describes how to use an Add-in to enable an LTA user to communicate with other networks and to allow the same gateway to be used for both Internet and LTA access.

LANCOM R&S®Unified Firewalls can be used as Internet and LTA gateways without further configuration, as they do not support routing tags.

A separate firewall rule is created for each network and each LTA user. For an LTA user to communicate with any other networks, the rules for those other networks must all be adjusted accordingly. Consequently the configuration can quickly become very complex! The procedure described below is therefore intended for smaller scenarios.


Requirements:


Scenario:

In an LTA scenario, the following networks are configured:

  • INTRANET: Network address 10.0.0.0/8, VLAN untagged, routing tag 1
  • Intranet2: Network address 192.168.10.0/24, VLAN 10, Routing tag 10, Name of the LTA connection target NETWORK10
  • Intranet3: Network address 192.168.20.0/24, VLAN 20, Routing tag 20, Name of the LTA connection target NETWORK20

Image displaying a technical configuration menu listing network status, names, IP range settings, and VLAN configurations with internet connectivity options.

There is an LTA access account with the name LTA-USER. Since the INTRANET is the accessible network, the LTA-USER is already able to communicate with this network. However, communication with the Intranet 2 and Intranet 3 networks is not possible due to the different routing tags. 

By adjusting the routing tags in the firewall rules, the LTA-USER will be able to communicate with all networks.


Procedure

1) Importing the Add-in:

1.1) Download the following add-in.

LCOS Firewall-Rule.json

For further information about this Add-in, see our add-ins manual:

Configuring firewall rules

1.2) In the LMC, go to the Add-ins menu and click Import

Screenshot of a technical dashboard displaying security status, with sections for Sites indicating No Addins found for the current filter settings and a Devices section showing 0 of 0 selected under Project specifications.

1.3) Click Select file and then select the Add-in.

Screenshot of a software interface displaying the 'Addins Import' function where users can import add-ins from a JSON file, with options to select files and warnings about overwriting existing add-ins with the same names if the overwrite option is enabled.

1.4) Select the Add-in FirewallRule and then click Import.

Screenshot of a software interface showing the Addins import function, allowing users to import Addins and variables from a JSON file, with options to overwrite existing items if they have identical names.

1.5) Confirm the message by clicking Close.

Screenshot of a software interface displaying a confirmation message that data has been imported successfully.



2) Reading-out the network information:

If necessary, repeat this step for additional LTA users.

2.1) In the LMC, go to the Devices menu and click the Name of the LTA gateway to access the detailed configuration.

Screenshot of a network management dashboard displaying device status, networks, activation codes, and security filters, with options to add devices and sites.

2.2) Switch to the tab Detail configuration and click on Rollout configuration (preview) to display the configuration components automatically created by the LMC.

Screenshot of a complex technical configuration interface showing various system settings such as WiFi, device details, and configuration comparisons.

2.3) In the Detail configuration, go to the menu Firewall/QoS → IPv4 Rules → Rule table.

A screenshot of a network management interface displaying various configurable options including Firewall QoS, IPv Rules, DNS settings, Object Table, Rule Table, and others, for setting and managing firewall objects and rules to secure and optimize network performance.

2.4) Click on the Firewall rule of the second network (in this example Intranet2) to view the parameters of the rule. 

The name of the firewall rule is saved in the format LTA-<Name of the LTA connection target>. This results in Intranet2 being given the name LTA-NETWORK10 and Intranet3 getting the name LTA-NETWORK20 (also see the scenario description).

A screenshot of a network management interface displaying various configurations and firewalls settings, including protocols, destination actions, filters, and rules for device connectivity and security.

2.5) Copy the values of the following parameters into a text file.

  • Name of this rule
  • Protocols
  • Source
  • Destination
  • Actions
  • Source tag

Image shows a configuration setting for a network filtering rule named LTANETWORKIO, specifying protocols as ANY, with the source as LTAUSER, destination as ANYLONETWORKIO, and the action set to ACCEPT.

2.6) Click the Firewall rule of the third network (in this example Intranet3) to view the parameters of the rule. 

The name of the firewall rule is saved in the format LTA-<Name of the LTA connection target>. This results in Intranet2 being given the name LTA-NETWORK10 and Intranet3 getting the name LTA-NETWORK20 (also see the scenario description).

An image displaying a complex user interface for network management, showing various settings such as Wireless LAN configurations, firewall rules, DNS communications, and access protocols with various actions like accept or reject listed.

2.7) Copy the values of the following parameters into a text file:

  • Name of this rule
  • Protocols
  • Source
  • Destination
  • Actions
  • Source tag

An image of a network filter rule interface displaying settings for a rule named 'LTANETWORKO', which accepts any protocols from 'LTAUSER' source to 'ANYLONETWORKO' destination with specified actions and priority settings.



3) Customizing and assigning the Add-in:

If necessary, create additional firewall rules for additional LTA users.

3.1) In the LMC, go to the menu Add-ins and click the Add-in imported in Step 1 to open it in the Add-in Editor.

Image of a technical dashboard display showing security status, active sites, and device project specifications with user comments.

3.2) Enter the commands to create the firewall rules and click Save:

The command to create a firewall rule is entered in the following format:

addFirewallRule("<Name of the firewall rule>", "<Protocol>", "<Source>", "<Destination>", "<Action>", "<Source tag>", "<Routing tag>");

  • Firewall rule for the network Intranet2:
    • Enter the values copied in step 2.5 into the command. The routing tag to use is the value specified in the scenario description (in this example the tag 10).
      • The command to create the firewall rule for the Intranet2 is therefore as follows: addFirewallRule("LTA-NETWORK10", "ANY", "LTA-USER", "ANY LO^NETWORK10_", "ACCEPT", "1", "10");
  • Firewall rule for the network Intranet3:
    • Enter the values copied in step 2.7 into the command. The routing tag to use is the value specified in the scenario description (in this example the tag 20).
      • The command to create the firewall rule for the intranet3 is therefore as follows: addFirewallRule("LTA-NETWORK20", "ANY", "LTA-USER", "ANY LO^NETWORK20_", "ACCEPT", "1", "20");
  • The individual parameters must be enclosed in quotation marks (") because the LMC requires this as a string.
  • Furthermore, the individual parameters must be separated by a comma (,).
  • Each command must be separated by a semicolon (;).

Screenshot of a technical configuration interface showing options for adding and editing firewall rules with fields for network settings, IP addresses, protocols, and example rules.

3.3) In the LMC, go to the Add-ins menu and click Allocation.

Screenshot of a technical dashboard interface displaying security status, active sites, firewall rules, device information, and IT project specifications.

3.4) Select a network that is assigned to the LTA gateway (in this example INTRANET) and, under Apply Add-ins, select the add-in FirewallRule. Then click Apply.

Screenshot of a network configuration interface showing options to adjust settings on managed devices through Global Addins, with features to select, order, and execute add-ins within an SDN configuration.

3.5) Click Save to complete the assignment.

Screenshot of a technical interface displaying network settings related to add-ins allocation with an active firewall rule for an intranet connection.

Then check the rollout configuration in the two firewall rules (see Step 2) to see whether the Add-in set the parameters correctly.

Image displays a configuration panel for network management, detailing a firewall rule named Dynamic path selection sessions switchover including protocols, source, destination, actions like load balancing policy, and tags for source and routing, with indications that the rule is active and monitors connection states. Screenshot of a firewall configuration interface displaying protocols, source and destination details, actions including dynamic path selection and load balancing policies, with additional settings for rule priority and routing tags.



4) Roll-out the configurations to the router:

4.1) Go to the Devices menu in the LMC and, for the LTA gateway, click on Outdated under Configuration to start the rollout process.

Image displaying a digital dashboard interface for network and device management, featuring options to add devices, generate activation codes, and configure security settings, along with a table view showing device status, names, model, serial number, site location, IP address, and firmware configurations.

4.2) Confirm the prompt by clicking on Roll out.

Screenshot of a technical user interface asking for confirmation to rollout the configuration settings, with an option for expert settings.

4.3) This concludes the configuration of the scenario. The LTA user can now communicate with all networks.

Weitere Artikel zu diesem Thema:

 

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH