Teleport App for VPN Router to Router is not Truly Passing Traffic Like the Teleport Hardware
Noah Leech last edited by Noah Leech
Hi, I have been trying to find a vpn solution to work with my video dilemma. What I want to do is have a VPN device hooked up at any remote location and be able receive multicast video content. So far the solution out there is GRE tunneling on a static site to site solution which will involve re-configuring your router each time you are a different remote location. So thanks to you guys coming up with the Teleport Hardware which does its job, but unfortunately, you guys are discontinuing the hardware. How sad :-(. The Teleport device has its bandwidth limit (varies around 10 Mb down and up), but I do like it as it's truly bridging your connection and passing all traffic that I need back to and from my main location.
Ok, here was my setup with the Teleport Hardware. I have to put my amplifi router in bridge mode as the amplifi router itself does not pass multicast traffic and igmp-proxy even though the latest firmware 3.1.2 supposed to have multicast enable. Unfortunately, they don't have "the multicast settings" needed to work with my service provider, which is pretty simple. I have older routers that can do that within the gui setting that would give you the option to enable multicast (example D-Link DIR-605L). Anyway, my teleport device would connect to my amplifi router (bridge mode) and grabbed the IP from my internet router. Then I was able to pass the multicast test and be able stream from my service provider.
Now since the upgrade of the Teleport app which could do VPN from router to router, I thought it might work the same way as the teleport device, unfortunately, it did not work. Even though from the primary side I allowed the vpn to have access to local network, it still failed to pass the multicast test to view the video content. The attached image shows the setup I have. As you can see, the teleport hardware was able to bridge thru to my device, and it was able to get the ip from my main base internet router. The amplifi router vpn scenario did not bridge thru to my device and so my device was still receiving the LAN IP from the remote amplifi router, and then it would route to a virtual LAN IP that the remote router is getting an assignment from my main base internet router.
On the other hand I setup the test locally (main site). See the attached second image of my main site setup. This scenario the teleport worked flawlessly again. Also, the vpn thru the amplifi router would passed the multicast test and play the video content, but I noticed that the VOD content was not playable. That's because RTSP (Real Time Streaming Protocol) is not in the amplifi router firmware. I found out that the edgerouter RTSP module was not enabled by default. So once I turned that on, my VOD would work. So I'm assuming that Ubiquiti did not implement it in the amplifi router family. So in this scenario, why did multicast work? I'm assuming since my network is globally setup for multicast traffic to push thru, and so somehow the remote amplifi router under vpn mode worked. But I still don't get why the amplifi router when not setup as vpn and just work as a normal router behind my network would not pass the multicast test? That's really strange.
Finally, still at my main location, I took out the second edgerouter x (which act as a remote), and replaced it with MikroTik Router (with no multicast setup to simulate as if i was truly at a remote location). See my third attached image. Same thing as my experience when I was actually at a remote location going thru a different service provider. The pc going thru teleport hardware would work flawlessly, but the pc going thru the vpn tunnel of the amplifi router failed the multicast and VOD test.
So in conclusion, will you guys at Ubiquiti implement an update to the amplifi router to act just like teleport hardware itself on your next update? Or develop an upgraded version of the teleport device, preferably with two ports on it (one port for hardwired WAN option, and second port for LAN)?
Derek Saville last edited by Derek Saville
Hi @Noah-Leech - regarding the first image, what is the model of the Internet Router at a Remote Location?
What IP subnet range is the Internet Router at a Remote Location serving, which must be different from the Primary location?
Is the Teleport VPN (IP 10.10.10.4/24) a HW Teleport paired with the Primary Instant Router?
When you select the PC2 client device within the AmpliFi app for the Remote Instant Router and select Teleport to Remote Router does PC2 indicate it is being Teleported with the icon, but just not routing?
There have been reports of both EdgeRouter and MicroTik routers blocking Teleport rotuer-to-router connections at the remote locations
As a test, if you make the Remote Instant Router the Internet Router at a Remote Location does everything work?
As a test, can you make the Primary Instant Router the Home Router?
I have double NAT'd an HD Router behind an ISP Internet Router at a Remote Location (not an ER or MT) and had Teleport router-to-router working
To replicate a HW Teleport at a remote location you can then add another AmpliFi router behind the double NAT AmpliFi router at the remote location and then use Router-to-Router to Teleport the whole second AmpliFi router as a unit
So two remote AmpliFi routers = HW Teleport
But I don't think it will work behind an EdgeRouter or MicoTik based on reports
Did you guys figure what needed to be configured on an EdgeRouter to let Teleport router-to-router work?
Noah Leech last edited by Noah Leech
Thanks for the reply. The first image is a generic representation of the the internet router I was at. I didn't think it's relevant. I travel a lot and so I use the Teleport Hardware (NOT the amplifi router or the teleport app) at lot to dial back to my home base. The teleport hardware worked like it should. Since I go to hotels and different work places, I do not know what make or model of the internet connection I'm connected to. The first image I used is a generic scenario. So basically, Teleport Hardware is paired to the Instant Router (in bridge mode) at the home base. The Teleport Hardware is able to tunnel (like a GRE Tunneling) back to the Instant Router at the home base, and the Home Internet router is able to pass on the 10.10.10.x address to the Teleport hardware and PC1. Ont the Other Hand PC2 is hardwired to the remote Instant Router with the LAN IP of 192.168.1.1/24, and it's passing out 192.168.1.2 to PC2. So through the Teleport App, the remote Instant Router is able to create a VPN to PC2, but PC2 is not really getting actual home base LAN IP of 10.10.10.x. So from the home base Instant Router, I allowed local access to PC2. So in a sense PC2 IP of 192.168.1.2 is routing to the next hop within the remote Instant Router on the VPN IP of 10.10.10.3. PC2 can see or ping devices on the 10.10.10.x. So local access is fine & internet is fine, but when it tries to dial to the Multicast/VOD service provider going thru the home base internet router, it fails the multicast test & RTSP test. In order for me to use the content from the Multicast\VOD service provider, I need to be on my home base network. So that's why the VPN comes into play when I am off network. Hopefully, that clears up some confusion. So basically, I would like to see if in the future an update to the amplfi routers that would allow a true bridge VPN. Or better yet another development of a better Teleport Hardware preferably 2 ethernet ports, one for WAN and one for LAN. It's a shame that the Teleport Hardware is discontinued. It has it's limitation and minor glitches, but it does its job when comes to VPN bridging.
Also to mention, that the Edgrouter X that I used is configured for multicast and RTSP setup, but I don't understand why the amplifi router itself does not have the capability to be modified the same way. Ubiquiti needs to put in a back door for advanced users to access thru the CLI command. Of course the amplifi router would pass multicast traffic if it was in bridge mode, but not in normal routed mode.
Hi @Noah-Leech - thanks for the explanation and I understand now
Yes, with router-to-router only the router gets an VPN IP address and seems to act as a proxy for the clients
I hope they implement your requested updates
It would be great if they would release firmware to re-purpose an HD or Instant into an improved HW Teleport, but I doubt it will happen
Have you looked into if WireGuard can support multicast?
Derek, So I have nearly exactly the same problem as @Noah-Leech . I have tried using the Teleport app and it does not truly provide access to main location and network. And as a result, I am still need to use the Teleport Hardware device - I have even tried both the Router-to-Router and the remote when traveling. The Amplifi HD and Teleport combination was a great product, that I put my parents and wife's parents on it so I can manage when needed. Extremely disappointed to see this is going to be discontinued. And sadly for this reason it has convinced me not to upgrade to the new Alien router, Anyway to get the message into the development team.
I have tried using the Teleport app and it does not truly provide access to main location and network.
I agree that the HW Teleport is a great product and I previously had HD+Teleport combos set up for remote management
The Teleport App and Router-to-Router are not a true replacement for the HW Teleport, no question, especially when traveling and needing to get through portals
For my usage they come close and I have switched to Alien installations, but let's see if we can get AmpliFi to do better
For discussion, I am going to call "Home" the location that is acting as a Teleport server where, in general you are trying to Teleport To, and "Remote" as the location where your client is trying to Teleport From
Unfortunately the Teleport App only works on iOS and Android, which cannot be extended to hot spots, and is having some issues with certain cellular carriers and IPv6, which I believe AmpliFi is working on to resolve
With the Teleport App on iOS (what I use) a Teleport connection does obtain an IP address from the Home network DHCP server for the Remote client, but utilizes a 'random' MAC address from the AmpliFi back end servers, so you cannot reserve a fixed IP address on your Home Router (to my knowledge), but you can see what IP address the client has been assigned in the AmpliFi app, or also in the case if iOS, in the VPN Settings
As long as you have Local Network ACCESS enabled, your Remote client can access the Home network, and I routinely login to the Home ISP router (my Home AmpliFi router is in Bridge mode) and other Home resources from an iPad or iPhone
If you use Router-to-Router Teleport, it is very similar, but only the Remote router obtains an IP address from the Home network DHCP server, and it then acts as a proxy for Remote clients
This is one of the reasons why Router-to-Router requires an Ethernet connection and to operate in DHCP mode with a different subnet, double NAT if necessary, so that it can act as this proxy server instead of just opening a L2TP VPN connection
The IP address is again assigned to a 'random' MAC address from the AmpliFi back end servers, so you cannot reserve a fixed IP address, but you can see what IP address the Remote router has been assigned, although this is probably of little use
Only the actual VPN client is receiving Home IP addresses, and in the case of Router-to-Router, any Remote client is being proxy served
If you have Local Network ACCESS enabled, the Remote router can fully access the Home network on behalf of the proxy clients, but it is difficult for any clients on the Home network to identify and communicate with the Remote Teleport clients and it is not passing multicast traffic or working as an IGMP proxy
Is all of that correct @UI-Brett?
This is different from the HW Teleport, which I recall is also using the AmpliFi back end servers for the VPN connection generated by a 'random' MAC address, but instead of acting as proxy server, Remote clients are being passed via L2TP to the Home Network, and being served by the Home Router?
Is that correct @UI-Brett? (I don't recall how things were finally working for the HW Teleport after all of the changes to implement the Teleport App)
And this is the cause of the issues that @Noah-Leech is experiencing for his particular use case
Is this also what you need as well @G-Man?
The HW Teleport is unique because it first opens a VPN connection, and then it acted a pseudo 3rd party mesh point
But you could also create a Home network Ethernet backhaul RAMP and run that behind the HW Teleport to truly extend your actual Home network abroad, which I liked to do
I have switched over to Alien routers for their additional cpu power, so I no longer have HD's as Teleport servers to test things out again
Hi @UI-Brett - would you be willing to test "double stacking" HD or Instant routers, the first acting as the Remote router for a Router-to-Router Teleport connection, and the second being an Ethernet backhauled RAMP to the Home router to see if the proxy server is passing AmpliFi's mesh protocol correctly?
I thought we had tested this before, but things may have changed?
What I recall was the only way to replicate a HW Teleport using an Ethernet connection was to double stack another Ethernet backhauled RAMP behind it
But that really isn't a viable replacement for a HW Teleport, especially for traveling for those that need a Router-to-Router connection
Could you please look into improving the Router-to-Router proxy to pass multicast IGMP traffic which seems to be missing or broken?
Or allow for a true L2TP Router-to-Router VPN connection instead of using a proxy server (assuming what I have described above is correct)?
Or we could really use a firmware update to re-purpose HD or Instant routers into HW Teleport replacements!
You have all of the ingredients of 3rd Party Router Mesh Point mode, Bridge Mode, the improvements for getting through portals, the VPN code, etc., and a HW Teleport was basically a standard AmpliFi router with some specialized software...
Thanks @Derek-Saville for the reply - really appreciate it. So I concur with the terminology of "Home" and "Remote". And my household is apple ecosystem, except the Amplifi.
My Amplifi router is not in bridge mode, it is connected to the ISP modem to the internet.
Remote Access enabled - and when connecting, I go in and click the slider to enable local access.
The usage have in most cases is access devices on Home network such as either of the Mac write and read files, print files, or allow some parental control changes temporarily when I am not at home. Even if I am using an iPad I cannot seem to access any devices.
I really liked the concept of the Amplifi teleport app, not an extra device to carry around, but in this case I am as it is the tried and true old faithful - has never failed me.
Also to note: I have tried the router to router (I have a ampifi router in my vacation home as well) connection and the simple device - still not able to make this part work. Especially from my mac - when stated in the family to connect
When I do use the teleport app, sure it works in terms of Geo IP fencing (ex: Netflix) - but seems to be the extent.
I must really be missing something here.
I will look to here from @UI-Brett for any additional items. Is it possible to update the app and to have some secret sauce software built in to the HW Teleport.
Also one more interesting item, I should mention - not sue if it is relevant. When I am looking to connect router to router. It seems I need to tap the Teleport to remote router more than once. The first time, I select the router - and I do not get the enter code screen. I need to tap it a second time, then I will get the code screen.
would you be willing to test "double stacking" HD or Instant routers, the first acting as the Remote router for a Router-to-Router Teleport connection, and the second being an Ethernet backhauled RAMP to the Home router to see if the proxy server is passing AmpliFi's mesh protocol correctly?
You are correct, when we tested this, we found that you could successfully configure a second stacked HD in a double NAT, and select the entire router to be Teleported which moved all devices using the stacked HD instead of having to Teleport each device individually.
The first time, I select the router - and I do not get the enter code screen. I need to tap it a second time, then I will get the code screen.
If your AmpliFi routers are all managed by your remote access account, then you should not need a Teleport code, just select it from the list of your networks. The code option is for devices that are not linked to your account. Are all of your locations managed using the same remote access account?
I will look into this further to discover why you cannot access files from your Mac remotely.
Some of the issues described are by design, but not by choice but by layer limitation. The Teleport HW is L2, but Teleport app and even R2R is L3. Yes, the Teleport hardware does have its major benefits and the R2R and Teleport app are not 100% replacement options, but we are still working on expanding and enhancing both of these features to suit most use cases. However, We can't make the Teleport app a L2, so there will always be some use cases we cannot accommodate.
Hi @UI-Brett - thanks for the feedback
The issues @Noah-Leech was having in the original post was related to multicast IGMP traffic
Can that be passed over L3, at least with R2R?
When we tested before, I don't recall if the stacked router was just a standalone Bridged device, or configured as a RAMP
Can an Ethernet backhaul RAMP connect back to the Home network over L3 "double stacked"?
Or does it require L2?
If L2, would you consider a special case for getting a RAMP to work through a R2R connection?
@UI-Brett thank you for the response. I will continue keep working this out. So I did check this out again and tried both ways, where I did not enter the code and where I did enter the code.
One difference I observed on the router I am connecting to. If I did not enter the code, the device is pictured dimmed ( faint )
However when I enter the code the device is pictured same intensity as is the router I am connecting to.
Hope this description makes sense.
@G-Man Did you perform a factory reset on your router in the past, then reconfigured with the same network credentials?
If you enabled that device on remote access, the performed a factory reset, the old configuration will be listed in your list of devices until removed, and the new configuration (with the same name) will needed to be added to remote access once again.
@UI-Brett on one router yes, but I figured that one out quite some time ago. Hmmmm ok, well I will take that as not the way we can resolve what I originally came on here for.
But thank you for following up on that.
@G-Man So I am still researching and testing file access like yu reported, I just do not have an answer yet but I will be reporting back on here when I have more.
LAN access will be required for what you described, and just to confirm, you have given LAN access to the Teleported devices correct?
This is described in step 9 of this article: Teleport Router to Router
@UI-Brett , yep step by step. However step 7 is the odd one. I do not get that screen enter teleport code screen initially when tapping on the "Teleport to remote Router"
@G-Man Can you access your devices via their IP addresses? For example, for file sharing on the iMac try to connect to your share drive with IP instead of hostname.
@UI-Brett So I am able to get on the network and ping and traceroute. seems fine there. So I decided to try something different. Since my wife's phone is paired to my in-laws DVR and see if the device can now read what is on the DVR. as it can when it is on the same network - strange stuff. It recognizes that they are connected, but cannot read items on the DVR. - I am going to keep plugging away on this.