LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-13-2010, 12:07 AM   #1
skyanvil
LQ Newbie
 
Registered: Aug 2010
Posts: 2

Rep: Reputation: 0
Routing across a multi-homed router from a openvpn tunnel: ping works ssh doesn't.


I attempting to wrap up a multi-homed load-balancing project with the addition of an openvpn server (see configuration diagram). I am unable to receive anything but pings (ssh/http) from any of the servers in LAN1 when tunneling into Router2/LAN2 from ISP 2. As I am hitting a wall here, I am open to suggestions...

Edit/Update:
Wireshark sniffing the tx/rx of Interface 2 shows my TCP (web) requests going out and responses comming back to interface 2 (Router2). So the issue resides in the configuration of Router2.

Configuration:
Code:
             RemotePC(vpnEndPoint)
                      |
 ISP 1.............Internet................ISP 2         
   |                                         |
Router1                                    Stupid 
   |                                     non-passthru*
  LAN1 (192.168.9.0/24)              modem (192.168.47.1)
  |  |____________________________           |
  |                               |          | 
 PC1                         iface 2      iface 1 
(192.168.9.65)        (192.168.9.120)     (192.168.47.77)   
                              vlan2       vlan1             
                                   Router2(192.168.109.1)     
                                   |   |                      
                                   |   |_(VPN TUN) (10.19.109.0/30) (vpnEndPoint)
                                   |
                                  LAN2 (192.168.109.0/24)
                                   |
                                  PC2
                              (192.168.109.121)
*That's right, I'm talking to you, business class cable...
  • I can tunnel in through Internet2 -> interface 1 and access LAN2 as if I were there.
  • From the the vpn tunnel across interface 2 I can ping and recieve replies from LAN1. ping works.
    (i.e. ISP2 -> iface1 -> Router2 -> tunnel -> iface2 -> LAN1 )
  • Round-robin load balancing works (however i have it turned off until I get this figured out.)


results of Router2# iptables -nvL
Code:
Chain INPUT (policy DROP 395 packets, 41092 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  br0    *       0.0.0.0/0            192.168.9.120
    0     0 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0
   55  4711 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:998
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
 6526  791K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW
    0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23 state NEW
  672 40297 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    3   210 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      tun22   0.0.0.0/0            0.0.0.0/0
    1    76 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 wanin      all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0
    0     0 wanout     all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0
    0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    0     0 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 10761 packets, 2762K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain shlimit (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: shlimit side: source
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: UPDATE seconds: 60 hit_count: 3 name: shlimit side: source

Chain wanin (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain wanout (2 references)
 pkts bytes target     prot opt in     out     source               destination
results of Router2# iptables -nvL -t nat
Code:
Chain PREROUTING (policy ACCEPT 1032 packets, 76982 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:998
    0     0 DROP       all  --  vlan1  *       0.0.0.0/0            192.168.109.0/24
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            192.168.49.77       to:192.168.109.1
    0     0 DROP       all  --  vlan2  *       0.0.0.0/0            192.168.109.0/24
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            192.168.9.120       to:192.168.109.1

Chain POSTROUTING (policy ACCEPT 11 packets, 946 bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   736 SNAT       all  --  *      br0     192.168.109.0/24     192.168.109.0/24    to:192.168.109.1
   14   958 MASQUERADE  all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0
   10   687 MASQUERADE  all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 42 packets, 3251 bytes)
 pkts bytes target     prot opt in     out     source               destination
Routes, rules and tables

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.9.1     *               255.255.255.255 UH    0      0        0 vlan2
10.19.109.2     *               255.255.255.255 UH    0      0        0 tun22
192.168.49.1    *               255.255.255.255 UH    0      0        0 vlan1
10.19.109.0     10.19.109.2     255.255.255.0   UG    0      0        0 tun22
192.168.49.0    *               255.255.255.0   U     0      0        0 vlan1
192.168.109.0   *               255.255.255.0   U     0      0        0 br0
192.168.9.0     *               255.255.255.0   U     0      0        0 vlan2
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.49.1    0.0.0.0         UG    0      0        0 vlan1


ip rule
0:      from all lookup local
100:    from 192.168.49.77 lookup 100
101:    from all fwmark 0x100 lookup 100
200:    from 192.168.9.120 lookup 200
201:    from all fwmark 0x200 lookup 200
32766:  from all lookup main
32767:  from all lookup default

ip route show table 100
192.168.49.0/24 dev vlan1  scope link  src 192.168.49.77
192.168.109.0/24 dev br0  scope link
127.0.0.0/8 dev lo  scope link
default via 192.168.49.1 dev vlan1

ip route show table 200
192.168.109.0/24 dev br0  scope link
192.168.9.0/24 dev vlan2  scope link  src 192.168.9.120
127.0.0.0/8 dev lo  scope link
default via 192.168.9.1 dev vlan2

Last edited by skyanvil; 08-17-2010 at 10:33 AM. Reason: Added wireshark results, updated diagram, changed to solved
 
Old 08-17-2010, 10:26 AM   #2
skyanvil
LQ Newbie
 
Registered: Aug 2010
Posts: 2

Original Poster
Rep: Reputation: 0
Solution!

After much trial, error, and research... I have managed to get a working solution by not masquerading any connections originating from the tunnel(s) of Router2 with a destination within LAN1 and then placing a static route in the router1 back to the tunnel gateway (Router2) for the tunnel ip subnet.

I am curious why I am able to traverse LAN1 out to the internet using masquerade from the tunnel, however reply packets (only from within LAN1) answering masqueraded requests that originated in the tunnel of Router1 are blocked (I say blocked since I was never able to verify if the packets were dropped or silently dropped...) Could this be bug in iptables or conntrack?

i.e. (differences in red)
The following will only work in a non-masqueraded state:
RemotePC(vpnEndPoint)->Internet->Isp2->(interface 1)Router2(vpnEndPoint)->(interface2)->LAN2->PC1

While packets traversing LAN1 out to the internet (internet pass-through) works just fine masqueraded:
RemotePC(vpnEndPoint)->Internet->Isp2->(interface 1)Router2(vpnEndPoint)->(interface2)->LAN2->Router1->Isp1->Internet

Solution:
excerpt from # iptables -nvL -t nat
Code:
Chain POSTROUTING (policy ACCEPT 644 packets, 54030 bytes)
 pkts bytes target     prot opt in     out     source               destination
  673 39221 MASQUERADE  all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0
  360 18106 MASQUERADE  all  --  *      vlan2   192.168.109.0/24     0.0.0.0/0
    4   328 MASQUERADE  all  --  *      vlan2   0.0.0.0/0           !192.168.9.0/24
Static route added to Router1
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.19.109.0     192.168.9.120    255.255.255.0   UG    0      0        0 br0
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PPP-SSH VPN Tunnel Routing Bradfirj92 Linux - Networking 4 05-09-2009 05:39 PM
Preventing asynchronous routing on multi-homed server BoarderX Linux - Networking 1 01-29-2009 12:56 PM
OpenVPN setup - can ping only one way across VPN tunnel rob_xx17 Linux - Networking 3 04-14-2006 06:36 AM
Multi Homed Gateway Router Problem conradg Linux - Networking 2 03-30-2006 11:51 PM
Linux Routing to Multi-Homed Host MightyCranium Linux - Networking 0 03-16-2004 05:14 PM


All times are GMT -5. The time now is 05:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration