Your Teltonika Router Has a Public IP SIM. Here Is Why That Is a Problem – and How to Fix It.

The Problem With Public IP SIMs in IoT

When an IoT SIM is described as having a “public IP”, it means the SIM is assigned an IP address that is routable on the public internet – either static (always the same) or dynamic (changes on each connection or periodically). Either way, any device connected to that SIM, and any device on a network behind a router using that SIM, is potentially reachable from anywhere in the world.

This is often sold as a feature. And for certain use cases – where you need to initiate inbound connections to a device, or where you are running your own VPN server infrastructure and can control access properly – it can be. The problem arises when a public IP SIM is used as a convenience shortcut in place of a properly designed remote access architecture. And in the world of cellular IoT, that happens constantly.

The typical failure scenario looks like this: an installer fits a Teltonika RUTX11 or RUT241 to a battery energy storage system. They set up port forwarding so the monitoring team can access the BMS web interface on port 80 and the Modbus TCP gateway on port 502. They change the router’s admin password. They put the public IP in a spreadsheet. They drive away. Nobody ever thinks about it again – until something goes wrong.

What Shodan Sees – and What Attackers Do With It

Shodan is a publicly accessible search engine that indexes internet-connected devices by scanning for open ports and grabbing service banners. It is a legitimate security research tool, and it is also freely used by attackers to find targets. If your Teltonika router has a public IP and has any ports open – including the default WebUI port 80/443, SSH on port 22, or any port-forwarded service – there is a high probability it is indexed on Shodan.

A typical Shodan result for an exposed Teltonika router will show the device model, the firmware version banner, and which ports are open. From a model and firmware version, an attacker knows exactly which CVEs to try. From an open port 502, they know there is a Modbus device accessible. From port 102, it is S7comm (Siemens PLC). From port 44818, EtherNet/IP. These are industrial protocols with minimal or no authentication built in – they were never designed to face the public internet.

Once a device is found, automated attack tools run through several phases: credential stuffing using default and common passwords, protocol-specific exploitation, and in the case of industrial protocols, direct command injection to the downstream device. The Teltonika router itself may survive this unscathed – but the BMS, PLC, or controller behind it may not.

Real-World Impact: When a BMS Controller Locks Up at 2am

Battery management systems, building energy management systems, and industrial controllers often have a self-protection mechanism built in: after a configurable number of failed authentication attempts, they lock the account, disable the communication port, or in some cases halt the process entirely and require a manual reset. This is sensible security design for a device that expects to sit inside a protected network. It is catastrophic when that device is exposed to the internet and brute-force attempts are arriving at thousands of attempts per minute.

The consequences are not theoretical. An energy storage system that halts due to a brute-force lockout will stop charging and discharging at the grid. If it was providing frequency response services, it drops off the grid at exactly the moment it was contracted to stabilise it. If it was providing peak shaving to an industrial facility, the facility’s demand charges spike. If it was keeping a hospital’s backup power topped up, someone is now worried about the state of those batteries. The financial and safety implications can be severe – and the root cause is a port forwarding rule that nobody thought to restrict.

How Private IP SIM Pricing Actually Works

Private IP SIMs are typically available from specialist IoT MVNO providers and some of the main network operators through their IoT divisions. The pricing model varies significantly and it is worth understanding what you are actually paying for before committing.

The SIM itself may cost no more than a standard data SIM. The cost that catches people out is the VPN infrastructure. Some providers charge a one-off setup fee per VPN connection – and for a single SIM deployment, this can be disproportionate. Fees of £50 or more for a single-SIM OpenVPN setup are not uncommon from some IoT MVNO providers. If you are deploying a fleet of 100 SIMs and paying one setup fee, that is sensible. If you are connecting one BMS controller in a building, it may price the solution out of reach.

When Private IP SIM Is the Right Answer

Private IP SIM is the cleanest choice when: the SIM provider’s pricing is reasonable for your deployment scale; you need to satisfy a compliance requirement that mandates network-layer isolation; you are connecting devices with no built-in authentication (Modbus TCP, raw serial-over-IP); or you are deploying in a sector where a security audit is likely. It is also worth considering when the end customer has a security-conscious IT or OT team who will ask how the device is protected – “it’s behind a private IP SIM with a managed VPN” is a cleaner answer than a lengthy explanation of firewall rules.

The following sections walk through each layer of the hardening process in order of priority. Apply them in sequence. Do not skip to the VPN section without completing the firewall steps first.

Firewall Hardening – Block All Inbound by Default

The most important single change you can make to a Teltonika router on a public IP SIM is to set the default inbound firewall policy to DROP, and then selectively allow only the specific traffic you intend to permit. This is the “default deny” principle, and it is the foundation of every properly designed network security policy.

Teltonika’s RutOS (the operating system on all RUT/RUTX/TRB series devices) uses an iptables-based firewall with a web interface under Network > Firewall. By default, the WAN zone (your SIM interface) is set to reject inbound connections – but this default can be less comprehensive than it appears, particularly when port forwarding rules are in place. You need to verify and tighten it explicitly.

Setting Up OpenVPN Server on Your Teltonika

With the firewall locked down, the next step is to establish your controlled access channel. OpenVPN is the most widely supported VPN protocol, compatible with every major operating system and a large number of monitoring platforms. Teltonika’s RutOS has a mature OpenVPN server implementation accessible through the WebUI.

In this configuration the Teltonika router acts as the VPN server. Remote users (engineers, monitoring stations) connect as VPN clients. Once connected, they can reach the LAN-side devices through the VPN tunnel as if they were physically on the LAN. All access is authenticated, encrypted, and logged.

WireGuard – The Faster, Leaner Alternative

WireGuard is a modern VPN protocol that is significantly simpler in design than OpenVPN, uses state-of-the-art cryptography by default, and has considerably less code surface area – which translates to fewer potential vulnerabilities. It is also noticeably faster in terms of handshake time and throughput, which matters for latency-sensitive applications like real-time BMS monitoring dashboards.

Teltonika added WireGuard support to RutOS from firmware version 7.x onwards, and it is now available across the RUTX and RUT series. WireGuard uses a public/private key pair for each peer – no certificate authorities, no CRLs, just keys.

IP Whitelisting for Monitoring Companies and NOC Access

Some monitoring scenarios require a persistent, always-on connection rather than an on-demand VPN tunnel. A NOC that needs to poll your BMS every 60 seconds cannot rely on an engineer manually connecting a VPN client before each poll cycle. In these cases, IP whitelisting – allowing inbound connections only from specific known IP addresses – is a practical solution combined with proper firewall rules.

Adding a Whitelisted IP Rule in RutOS

Under Network > Firewall > Traffic Rules, add a rule that allows inbound traffic from a specific source IP to a specific destination port. For example, to allow a monitoring company to poll a Modbus gateway on port 502:

• Name: allow-monitoring-modbus
• Source zone: WAN
• Source address: [monitoring company’s static IP]
• Destination zone: LAN
• Destination address: [BMS device LAN IP]
• Destination port: 502
• Action: ACCEPT

For sites where multiple parties need access, create a separate named firewall rule for each party. This gives you the ability to revoke a specific party’s access by disabling a single clearly-named rule without affecting anyone else. Keep a register reviewed at least annually and whenever a contractor relationship ends.

If You Must Use Port Forwarding – Do It Properly

The strongest recommendation in this guide is to eliminate port forwarding to LAN devices entirely and replace it with VPN access. However, legacy systems, third-party monitoring contracts, or client requirements sometimes make this unavoidable in the short term. If that is your situation, apply every one of the following controls.

Teltonika Threat Prevention and Attack Detection

Teltonika’s RutOS includes several built-in security features worth enabling as part of a hardened deployment. These are not a substitute for the firewall and VPN configuration described above, but they provide additional layers of detection and active protection.

Attack Prevention

Under Network > Firewall > Attack Prevention, RutOS provides configurable protection against SYN flood attacks and port scan attempts. SYN flood protection limits the rate at which new TCP connection requests are accepted. Port scan detection identifies and blocks source IPs exhibiting scanning behaviour. Enable both as a baseline – the default thresholds are a reasonable starting point.

SSH Brute Force Protection

Under System > Administration > Access Control, enable the built-in brute force protection. This uses fail2ban-style logic to block IP addresses that fail SSH authentication a defined number of times within a time window. Three failed attempts within five minutes is a sensible starting point.

Default Credentials – the Non-Negotiable Baseline

Change the default admin password immediately on every device before it goes onto a network. Use a unique password per device – not a shared password across your fleet. Store credentials in a password manager, not a spreadsheet. For SSH, disable password authentication and use key-based authentication only.

Keeping Firmware Updated

Teltonika releases firmware updates regularly, including security patches for vulnerabilities in RutOS itself and in underlying components such as OpenSSL and the Linux kernel. Enable automatic update notifications or use Teltonika RMS to manage firmware across your fleet. Always verify your security configuration after a firmware update – firewall rules and VPN configurations should be checked, as major version upgrades can reset some settings to defaults.

Teltonika RMS – Remote Management That Works With Any SIM

The outbound connection from the router on port 15009 (or 443 as a fallback) to the RMS servers is all that is needed. You do not need to open any inbound ports to use RMS for device monitoring and management. RMS provides remote access to the router’s WebUI, SSH access, and VPN-based access to LAN devices – all proxied through the RMS cloud infrastructure, all authenticated through your RMS account credentials.

What You Can Do With RMS

• Remotely access the router’s WebUI from any browser, with RMS handling the authentication and tunnel
• Push firmware updates to individual devices or entire fleets, scheduled or immediate
• Receive alerts for device offline events, signal quality degradation, and data usage thresholds
• View real-time and historical signal quality, data usage, and device status
• Execute custom scripts and commands via SSH through the RMS console
• Manage device configuration profiles and push configuration changes remotely
• Access LAN-side devices through RMS VPN tunnels

Does RMS VPN Work With a Dynamic Public IP SIM?

Yes – and this is one of the most important points in this guide for anyone managing a mixed fleet of SIM types.

RMS VPN creates an on-demand peer-to-peer VPN tunnel, brokered through the RMS cloud infrastructure, between your management device and the Teltonika router. Because the connection is brokered rather than direct, the router’s WAN IP address is irrelevant. The router has already established its outbound connection to the RMS servers. When you initiate an RMS VPN session from the portal, the RMS infrastructure instructs the router to establish a VPN tunnel endpoint, and connects your management device to that endpoint through the cloud.

RMS VPN for Engineer Access

RMS VPN is well-suited to the on-demand access pattern used by field engineers and technical support teams. An engineer opens the RMS portal, locates the device, initiates a VPN session, and is connected to the router’s LAN within seconds – regardless of the router’s current WAN IP or SIM type. When the session is closed, the tunnel tears down cleanly. This sidesteps the dynamic IP problem entirely for human-initiated access.

RMS VPN for Persistent Monitoring Station Access

For monitoring stations that need continuous, always-on access to poll devices at regular intervals, RMS VPN’s on-demand model is less suitable – it is designed for human-initiated sessions, not persistent machine-to-machine tunnels. For persistent monitoring access, the options are:

• Static public IP SIM + self-hosted VPN server on the Teltonika – clean and direct, but requires a static IP SIM.
• Private IP SIM + provider VPN infrastructure – no exposure on the public internet at all.
• Dynamic public IP SIM + DDNS + self-hosted VPN – workable but fragile. DDNS record must update faster than the polling interval after an IP change, which is not always guaranteed.
• Source IP whitelisting to a LAN service – pragmatic if the monitoring station has a static IP and the polled protocol has application-layer authentication.

Using Dynamic DNS With a Dynamic Public IP SIM

If you are running a self-hosted VPN server on a Teltonika with a dynamic public IP SIM, DDNS is a practical workaround. RutOS has a built-in DDNS client under Services > Dynamic DNS supporting multiple providers including No-IP, DynDNS, and Cloudflare. The router automatically updates the DNS record when its WAN IP changes. The key limitation is the update delay – typically 60 to 300 seconds after a reconnection – during which connections will fail. Acceptable for engineer access; potentially problematic for high-frequency automated monitoring.

Setting Up Alerts and Logging

A hardened router that generates no alerts still leaves you flying blind about what is happening on the WAN interface. Configure the following as part of every deployment.

Email and SMS Alerts

Under Services > Events Reporting, configure notifications for: WAN connection state changes; login attempts to the WebUI; SSH login attempts; firewall rule triggers on specific rules; and data usage threshold breaches. Unexpected data usage spikes are often the first visible indicator of a compromised or misconfigured device – if your device normally uses 50MB per day, set an alert at 200MB.

Syslog to a Remote Server

RutOS supports forwarding system logs to a remote syslog server under System > Administration > Troubleshoot > System Log. Route Teltonika logs to a SIEM or syslog collector if one is in use. This gives you a tamper-resistant record of events, since logs stored only on the router can be cleared if the router is compromised.

RMS Monitoring and Alerts

Within the RMS portal, configure offline alerts for every managed device. An unexpected device going offline during business hours is a security-relevant event as well as an operational one. RMS alert configuration is managed centrally in the portal rather than needing to be set on each device individually.

Hardening Checklist

Use this checklist for every Teltonika deployment on a public IP SIM. It represents the minimum acceptable configuration for a device connected to operational equipment.

Summary – Which Approach Is Right for You?

The underlying principle across all scenarios is the same: the public internet should never have a direct, unauthenticated path to your operational devices or to the management interfaces of the routers protecting them. Whether you achieve that through network-layer isolation (private IP SIM) or through router-level controls (hardened Teltonika with VPN), the destination is the same. The path you take is a commercial and operational decision.

If you are currently running Teltonika routers on public IP SIMs with port forwarding to LAN devices and no VPN in place, this guide describes the remediation path. The work is achievable in a few hours per site for an engineer familiar with RutOS. The alternative is leaving operational systems exposed to a threat landscape that is automated, persistent, and increasingly targeted at exactly the kind of low-visibility industrial IoT devices that populate the energy, facilities, and utilities sectors.

Further Reading – Official Teltonika Wiki References

The links below point to the official Teltonika Networks wiki. The RUT200 is used as the reference device throughout – it is one of the most widely deployed low-cost 4G routers in the UK and is frequently installed with a public static IP SIM as the path of least resistance for remote access. If you are using a different model, substitute the model prefix in the URL: RUTX11, RUT241, RUT906, RUTX50 and so on all follow the same pattern.

Firewall and Attack Prevention

Access Control – Locking Down WebUI and SSH

VPN – OpenVPN and WireGuard Server Setup

Dynamic DNS – Keeping a Hostname for a Dynamic IP SIM

Alerts and Events Reporting

Teltonika RMS – Remote Management System