"One way" routing problems across subnets through openVPN

^andrea^ · 05-19-2013, 08:50 PM

Hi All,

As the title states, I have some routing problems across two subnets joint by openVPN (as the two LANs are in different cities).
The curios thing is that the routing problems affect only some hosts (and their virtual machines) on only one of the two subnets.

Bear with me while I try to explain my setup and debugging methods as clearly and briefly as possible.

As mentioned the two subnets are in different cities.
CityM: 192.168.20.0/24
CityL: 192.168.5.0/24

In each LAN I have a main server (proxmox, Debian based) which I use to run the several virtual machines (either openvz or kvm) I need.
CityMProxmox: 192.168.20.33
CityLProxmox: 192.168.5.33

To join these two networks and share their resources I'm using openVpn.
OpenVpn is not installed on the main servers (I always try to install as little as possible on them)
but it's installed on two Zentyal (Ubuntu 12.04 based) KVM virtual machines which give me some nice features.
CityMZentyal: 192.168.20.176
CityLZentyal: 192.168.5.176

In the OpenVpn configuration, CityMZentyal is the server with IP 192.168.25.1,
while CityLZentyal is the client with IP 192.168.25.2.

---------------------------------------------------

NOW THE ISSUE!!!

---------------------------------------------------

From CityM I can do anything.
From CityL I can connect to some machines like the router (192.168.20.1) and CityMZentyal (at the address 192.168.20.176)
but not CityMProxmox (or any of its virtual machines).

To focus on one problem I started to debug the issue between the two main servers.

--- --- --- --- --- --- --- --- --- --- --- --- ---

If I PING "FROM CityMProxmox TO CityLProxmox" I get:

root@CityMProxmox:~# ping 192.168.5.33
PING 192.168.5.33 (192.168.5.33) 56(84) bytes of data.
64 bytes from 192.168.5.33: icmp_req=1 ttl=61 time=60.8 ms
64 bytes from 192.168.5.33: icmp_req=2 ttl=61 time=61.0 ms
64 bytes from 192.168.5.33: icmp_req=3 ttl=61 time=62.2 ms
^C
--- 192.168.5.33 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 60.886/61.405/62.234/0.657 ms

All good!

--- --- --- --- --- --- --- --- --- --- --- --- ---

But doing the opposite, "FROM CityLProxmox TO CityMProxmox", I get:

root@CityLProxmox:~# ping 192.168.20.33
PING 192.168.20.33 (192.168.20.33) 56(84) bytes of data.
^C
--- 192.168.20.33 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms

Nothing at all!

--- --- --- --- --- --- --- --- --- --- --- --- ---

The other strange thing for me is that TRACEROUTE works as expected both ways.

Traceroute "FROM CityMProxmox TO CityLProxmox":
root@CityMProxmox:~# traceroute 192.168.5.33
traceroute to 192.168.5.33 (192.168.5.33), 30 hops max, 60 byte packets
1 192.168.20.1 (192.168.20.1) 0.344 ms 0.457 ms 0.573 ms
2 192.168.20.176 (192.168.20.176) 0.943 ms 0.972 ms 1.083 ms
3 192.168.25.2 (192.168.25.2) 53.017 ms 60.363 ms 60.560 ms
4 192.168.5.33 (192.168.5.33) 60.680 ms 62.028 ms 62.227 ms

--- --- --- --- --- --- --- --- --- --- --- --- ---

Traceroute "FROM CityLProxmox TO CityMProxmox":
root@CityLProxmox:~# traceroute 192.168.20.33
traceroute to 192.168.20.33 (192.168.20.33), 30 hops max, 60 byte packets
1 192.168.5.1 (192.168.5.1) 0.434 ms 0.540 ms 0.722 ms
2 192.168.5.176 (192.168.5.176) 1.263 ms 1.322 ms 1.351 ms
3 192.168.25.1 (192.168.25.1) 55.348 ms 55.035 ms 55.740 ms
4 192.168.20.33 (192.168.20.33) 56.737 ms 56.862 ms 57.148 ms

--- --- --- --- --- --- --- --- --- --- --- --- ---

At this point I've started playing with TCPDUMP to figure out where the packets get lost and I've found out that,
the pings are actually reaching CityMProxmox but get lost on the way back.

In fact on CityMProxmox I get:

root@CityMProxmox:~# tcpdump -nnSi vmbr0 icmp and \(src 192.168.5.33 or dst 192.168.5.33\)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
02:43:03.777090 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 38376, seq 1, length 64
02:43:03.777107 IP 192.168.20.33 > 192.168.5.33: ICMP echo reply, id 38376, seq 1, length 64
02:43:04.776495 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 38376, seq 2, length 64
02:43:04.776510 IP 192.168.20.33 > 192.168.5.33: ICMP echo reply, id 38376, seq 2, length 64
02:43:05.776549 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 38376, seq 3, length 64
02:43:05.776565 IP 192.168.20.33 > 192.168.5.33: ICMP echo reply, id 38376, seq 3, length 64
02:43:06.776844 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 38376, seq 4, length 64
02:43:06.776859 IP 192.168.20.33 > 192.168.5.33: ICMP echo reply, id 38376, seq 4, length 64
02:43:07.776599 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 38376, seq 5, length 64
02:43:07.776615 IP 192.168.20.33 > 192.168.5.33: ICMP echo reply, id 38376, seq 5, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel

--- --- --- --- --- --- --- --- --- --- --- --- ---

On CityMZentyal instead I get:

root@CityMZentyal:~# tcpdump -nnSi any icmp and \(src 192.168.5.33 or dst 192.168.5.33\)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
02:59:48.729392 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 47003, seq 1, length 64
02:59:48.729420 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 47003, seq 1, length 64
02:59:49.729116 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 47003, seq 2, length 64
02:59:49.729130 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 47003, seq 2, length 64
02:59:50.728862 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 47003, seq 3, length 64
02:59:50.728876 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 47003, seq 3, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

NO "ICMP echo reply"! There are the REQUESTS ONLY!
(The packets are showing up twice as I put "-i any". They probably appear on different interfaces therefore I believe it's correct).

Where did the REPLIES go?!?

--- --- --- --- --- --- --- --- --- --- --- --- ---

As far as I know there shouldn't be any firewall in the way blocking the traffic.

What puzzles me is the fact that if I ping FROM CityMZentyal TO CityLZentyal everything looks good but, if I do the opposite,
the packets can't find their way back.
How come?

Can anyone suggest me a way to debug this further? (or better?)
Any idea would be much appreciated!

If you managed to read up to this point, WOW! Thanks! :-)

Andrea

nyshtyak · 05-20-2013, 02:49 AM

I'd check that IP forwarding is enabled on CityMZentyal.
Than it could be good idea to compare routing tables for similar servers on both sides (proxmoxM/proxmoxL, zentyalM/zentyalL). If you have symmetrical configuration your routes should be symmetrical too.

Don't be confused with ping/traceroute behavior difference. These utilities work in a slightly different manner.

tux111 · 05-20-2013, 04:55 AM

This looks like an iptables issue. Could you post all iptables rules? Especially the NAT / Postrouting table?

^andrea^ · 05-20-2013, 05:03 AM

I would say that the only asymmetrical part should be CityMZentyal (being the openVPN server)
and CityLZentyal (being the openVPN client).

--- --- --- --- --- --- --- --- --- --- --- --- ---

IP forwarding seems to be enabled on CityMZentyal:
root@CityMZentyal:~# cat /proc/sys/net/ipv4/ip_forward
1

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityMZentyal ROUTES:
root@CityMZentyal:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.5.0 192.168.25.2 255.255.255.0 UG 2 0 0 tap1
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.24.0 192.168.24.2 255.255.255.0 UG 0 0 0 tun0
192.168.24.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.25.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1
192.168.26.0 192.168.26.2 255.255.255.0 UG 0 0 0 tun2
192.168.26.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun2

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityLZentyal ROUTES:
root@CityLZentyal:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.20.0 192.168.25.1 255.255.255.0 UG 0 0 0 tap0
192.168.24.0 192.168.25.1 255.255.255.0 UG 0 0 0 tap0
192.168.25.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityMProxmox ROUTES:
root@tux:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.20.152 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.20.158 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.20.161 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.20.180 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.20.151 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 vmbr0
0.0.0.0 192.168.20.1 0.0.0.0 UG 0 0 0 vmbr0

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityLProxmox ROUTES:
root@goliath:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.11 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.10.10 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.5.50 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.5.161 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.5.163 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.5.162 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.5.158 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.10.100 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.10.101 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.5.171 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.5.170 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 vmbr0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 vmbr10
0.0.0.0 192.168.5.1 0.0.0.0 UG 0 0 0 vmbr0

It seems all good to me here.

--- --- --- --- --- --- --- --- --- --- --- --- ---

What I can add is that I configured the routers in the two networks to redirect packets to the internal subnets.
CityMRouter: 192.168.20.1
CityLRouter: 192.168.5.1

Unfortunately CityMRouter is a standard TP-Link (TL-WR1043ND) so I can't debug it with tcpdump, otherwise I would.

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityMRouter ROUTES:
Destination Network Subnet Mask Gateway Interface
192.168.5.0 255.255.255.0 192.168.20.176 LAN & WLAN
192.168.20.0 255.255.255.0 0.0.0.0 LAN & WLAN
192.168.1.0 255.255.255.0 0.0.0.0 WAN
192.168.25.0 255.255.255.0 192.168.20.176 LAN & WLAN
192.168.24.0 255.255.255.0 192.168.20.176 LAN & WLAN
239.0.0.0 255.0.0.0 0.0.0.0 LAN & WLAN
0.0.0.0 0.0.0.0 192.168.1.254 WAN

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityLRouter ROUTES:
DESTINATION LAN NET Subnet Mask Gateway Interface
192.168.1.254 255.255.255.255 0.0.0.0 WAN
192.168.5.0 255.255.255.0 0.0.0.0 LAN & WLAN
192.168.20.0 255.255.255.0 192.168.5.176 LAN & WLAN
192.168.1.0 255.255.255.0 0.0.0.0 WAN
192.168.10.0 255.255.255.0 192.168.5.33 LAN & WLAN
192.168.25.0 255.255.255.0 192.168.5.176 LAN & WLAN
192.168.24.0 255.255.255.0 192.168.5.176 LAN & WLAN
169.254.0.0 255.255.0.0 0.0.0.0 LAN & WLAN
0.0.0.0 0.0.0.0 192.168.1.254 WAN

--- --- --- --- --- --- --- --- --- --- --- --- ---

Anything wrong?
Or anything else to check?

Thanks again for reading! :-)

Andrea

^andrea^ · 05-20-2013, 05:05 AM

tux111, I read your message only now.
I will reply shortly with all the iptables infos... :-)

^andrea^ · 05-20-2013, 05:23 AM

There isn't much in the proxmox boxes (iptables-wise).

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityMProxmox iptables:
root@CityMProxmox:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- 106.186.16.21 0.0.0.0/0
DROP all -- 186.226.83.3 0.0.0.0/0
DROP all -- 190.145.3.91 0.0.0.0/0
DROP all -- 14.63.160.54 0.0.0.0/0
DROP all -- 60.168.158.18 0.0.0.0/0
DROP all -- 188.138.89.72 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityLProxmox iptables:
root@CityLProxmox:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 192.168.5.1
DROP all -- 192.168.10.0/24 192.168.5.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- 213.149.117.244 0.0.0.0/0
DROP all -- 210.56.24.183 0.0.0.0/0
DROP all -- 184.168.109.205 0.0.0.0/0
DROP all -- 223.5.3.200 0.0.0.0/0
DROP all -- 61.142.106.34 0.0.0.0/0
DROP all -- 125.22.76.77 0.0.0.0/0
DROP all -- 211.172.247.48 0.0.0.0/0
DROP all -- 216.19.223.55 0.0.0.0/0
DROP all -- 188.138.33.107 0.0.0.0/0
DROP all -- 27.254.62.34 0.0.0.0/0
DROP all -- 194.90.47.216 0.0.0.0/0
DROP all -- 119.36.186.44 0.0.0.0/0
DROP all -- 116.127.121.77 0.0.0.0/0
DROP all -- 50.115.44.242 0.0.0.0/0
DROP all -- 219.84.223.8 0.0.0.0/0
DROP all -- 117.21.182.50 0.0.0.0/0
DROP all -- 119.1.159.54 0.0.0.0/0
DROP all -- 117.239.105.115 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

--- --- --- --- --- --- --- --- --- --- --- --- ---

There is definitely more going on, on the zentyal boxes and to be honest, I get a bit lost in there... :-(

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityMZentyal iptables:
root@CityMZentyal:~# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
preinput all -- 0.0.0.0/0 0.0.0.0/0
idrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
inospoof all -- 0.0.0.0/0 0.0.0.0/0
iexternalmodules all -- 0.0.0.0/0 0.0.0.0/0
iexternal all -- 0.0.0.0/0 0.0.0.0/0
inoexternal all -- 0.0.0.0/0 0.0.0.0/0
imodules all -- 0.0.0.0/0 0.0.0.0/0
iintservs all -- 0.0.0.0/0 0.0.0.0/0
iglobal all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
idrop all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
preforward all -- 0.0.0.0/0 0.0.0.0/0
fdrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
fnospoof all -- 0.0.0.0/0 0.0.0.0/0
fredirects all -- 0.0.0.0/0 0.0.0.0/0
fmodules all -- 0.0.0.0/0 0.0.0.0/0
ffwdrules all -- 0.0.0.0/0 0.0.0.0/0
fnoexternal all -- 0.0.0.0/0 0.0.0.0/0
fdns all -- 0.0.0.0/0 0.0.0.0/0
fobjects all -- 0.0.0.0/0 0.0.0.0/0
fglobal all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
fdrop all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
preoutput all -- 0.0.0.0/0 0.0.0.0/0
odrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ointernal all -- 0.0.0.0/0 0.0.0.0/0
omodules all -- 0.0.0.0/0 0.0.0.0/0
oglobal all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
odrop all -- 0.0.0.0/0 0.0.0.0/0

Chain drop (4 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 50/min burst 10 LOG flags 0 level 7 prefix "ebox-firewall drop "
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain fdns (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53

Chain fdrop (3 references)
target prot opt source destination
drop all -- 0.0.0.0/0 0.0.0.0/0

Chain ffwdrules (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.24.0/24 0.0.0.0/0
ACCEPT all -- 192.168.25.0/24 0.0.0.0/0
ACCEPT all -- 192.168.20.0/24 0.0.0.0/0
ACCEPT all -- 192.168.5.0/24 0.0.0.0/0

Chain fglobal (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain fmodules (1 references)
target prot opt source destination

Chain fnoexternal (1 references)
target prot opt source destination

Chain fnospoof (1 references)
target prot opt source destination
fnospoofmodules all -- 0.0.0.0/0 0.0.0.0/0

Chain fnospoofmodules (1 references)
target prot opt source destination

Chain fobjects (1 references)
target prot opt source destination

Chain fredirects (1 references)
target prot opt source destination

Chain ftoexternalonly (0 references)
target prot opt source destination
fdrop all -- 0.0.0.0/0 0.0.0.0/0

Chain idrop (2 references)
target prot opt source destination
drop all -- 0.0.0.0/0 0.0.0.0/0

Chain iexternal (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.24.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.25.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.5.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.20.0/24 0.0.0.0/0 state NEW

Chain iexternalmodules (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520

Chain iglobal (1 references)
target prot opt source destination
ACCEPT all -- 192.168.24.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.25.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.5.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.20.0/24 0.0.0.0/0 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8880 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8880 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8464 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8464 state NEW
drop tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:390 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6895 state NEW

Chain iintservs (1 references)
target prot opt source destination

Chain imodules (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1195
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1196

Chain inoexternal (1 references)
target prot opt source destination

Chain inointernal (0 references)
target prot opt source destination

Chain inospoof (1 references)
target prot opt source destination
inospoofmodules all -- 0.0.0.0/0 0.0.0.0/0

Chain inospoofmodules (1 references)
target prot opt source destination

Chain log (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 50/min burst 10 LOG flags 0 level 7 prefix "ebox-firewall log "
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain odrop (2 references)
target prot opt source destination
drop all -- 0.0.0.0/0 0.0.0.0/0

Chain oglobal (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW

Chain ointernal (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:67
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 176.34.155.79 state NEW tcp dpt:1194
ACCEPT udp -- 0.0.0.0/0 176.34.137.90 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 176.34.153.83 state NEW tcp dpt:443

Chain omodules (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain preforward (1 references)
target prot opt source destination

Chain preinput (1 references)
target prot opt source destination

Chain preoutput (1 references)
target prot opt source destination

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityLZentyal iptables:
root@CityLZentyal:~# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
preinput all -- 0.0.0.0/0 0.0.0.0/0
idrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
inospoof all -- 0.0.0.0/0 0.0.0.0/0
iexternalmodules all -- 0.0.0.0/0 0.0.0.0/0
iexternal all -- 0.0.0.0/0 0.0.0.0/0
inoexternal all -- 0.0.0.0/0 0.0.0.0/0
imodules all -- 0.0.0.0/0 0.0.0.0/0
iintservs all -- 0.0.0.0/0 0.0.0.0/0
iglobal all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
idrop all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
preforward all -- 0.0.0.0/0 0.0.0.0/0
fdrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
fnospoof all -- 0.0.0.0/0 0.0.0.0/0
fredirects all -- 0.0.0.0/0 0.0.0.0/0
fmodules all -- 0.0.0.0/0 0.0.0.0/0
ffwdrules all -- 0.0.0.0/0 0.0.0.0/0
fnoexternal all -- 0.0.0.0/0 0.0.0.0/0
fdns all -- 0.0.0.0/0 0.0.0.0/0
fobjects all -- 0.0.0.0/0 0.0.0.0/0
fglobal all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
fdrop all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
preoutput all -- 0.0.0.0/0 0.0.0.0/0
odrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ointernal all -- 0.0.0.0/0 0.0.0.0/0
omodules all -- 0.0.0.0/0 0.0.0.0/0
oglobal all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
odrop all -- 0.0.0.0/0 0.0.0.0/0

Chain drop (4 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 50/min burst 10 LOG flags 0 level 7 prefix "ebox-firewall drop "
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain fdns (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53

Chain fdrop (3 references)
target prot opt source destination
drop all -- 0.0.0.0/0 0.0.0.0/0

Chain ffwdrules (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.25.0/24 0.0.0.0/0
ACCEPT all -- 192.168.5.0/24 0.0.0.0/0
ACCEPT all -- 192.168.20.0/24 0.0.0.0/0

Chain fglobal (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain fmodules (1 references)
target prot opt source destination

Chain fnoexternal (1 references)
target prot opt source destination

Chain fnospoof (1 references)
target prot opt source destination
fnospoofmodules all -- 0.0.0.0/0 0.0.0.0/0

Chain fnospoofmodules (1 references)
target prot opt source destination

Chain fobjects (1 references)
target prot opt source destination

Chain fredirects (1 references)
target prot opt source destination

Chain ftoexternalonly (0 references)
target prot opt source destination
fdrop all -- 0.0.0.0/0 0.0.0.0/0

Chain idrop (2 references)
target prot opt source destination
drop all -- 0.0.0.0/0 0.0.0.0/0

Chain iexternal (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.25.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.5.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.20.0/24 0.0.0.0/0 state NEW

Chain iexternalmodules (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520

Chain iglobal (1 references)
target prot opt source destination
ACCEPT all -- 192.168.25.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.5.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.20.0/24 0.0.0.0/0 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8880 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8880 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8464 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8464 state NEW
drop tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:390 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6895 state NEW

Chain iintservs (1 references)
target prot opt source destination

Chain imodules (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520

Chain inoexternal (1 references)
target prot opt source destination

Chain inointernal (0 references)
target prot opt source destination

Chain inospoof (1 references)
target prot opt source destination
inospoofmodules all -- 0.0.0.0/0 0.0.0.0/0

Chain inospoofmodules (1 references)
target prot opt source destination

Chain log (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 50/min burst 10 LOG flags 0 level 7 prefix "ebox-firewall log "
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain odrop (2 references)
target prot opt source destination
drop all -- 0.0.0.0/0 0.0.0.0/0

Chain oglobal (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW

Chain ointernal (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:67
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 54.246.132.36 state NEW tcp dpt:1194
ACCEPT udp -- 0.0.0.0/0 176.34.137.90 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 176.34.153.83 state NEW tcp dpt:443

Chain omodules (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT udp -- 0.0.0.0/0 2.235.179.240 udp dpt:1195
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain preforward (1 references)
target prot opt source destination

Chain preinput (1 references)
target prot opt source destination

Chain preoutput (1 references)
target prot opt source destination

--- --- --- --- --- --- --- --- --- --- --- --- ---

WOW! That is a LOT!!!

Can anyone spot what is wrong in there?

Thanks in advance.

Andrea

tux111 · 05-20-2013, 05:36 AM

I think iptables -L -vt nat is missing. Or don't you do any NAT?

^andrea^ · 05-20-2013, 05:56 AM

Zentyal takes care of NATting for me I believe, I probably haven't been able to configure it 100% correctly yet...

Anyway, I have re-run all commands with "iptables -L -vt nat".

Here the results:

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityMProxmox iptables:
root@CityMProxmox:~# iptables -L -vt nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityLProxmox iptables:
root@CityLProxmox:~# iptables -L -vt nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityMZentyal iptables:
root@CityMZentyal:~# iptables -L -vt nat
Chain PREROUTING (policy ACCEPT 14267 packets, 1840K bytes)
pkts bytes target prot opt in out source destination
14267 1840K premodules all -- any any anywhere anywhere

Chain INPUT (policy ACCEPT 4598 packets, 667K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1594 packets, 103K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 5337 packets, 296K bytes)
pkts bytes target prot opt in out source destination
7414 421K postmodules all -- any any anywhere anywhere

Chain postmodules (1 references)
pkts bytes target prot opt in out source destination
2074 124K MASQUERADE all -- any eth0 192.168.24.0/24 anywhere
1 60 MASQUERADE all -- any eth0 192.168.26.0/24 anywhere
0 0 MASQUERADE all -- any eth0 192.168.25.0/24 anywhere

Chain premodules (1 references)
pkts bytes target prot opt in out source destination

--- --- --- --- --- --- --- --- --- --- --- --- ---

CityLZentyal iptables:
root@CityLZentyal:~# iptables -L -vt nat
Chain PREROUTING (policy ACCEPT 147K packets, 12M bytes)
pkts bytes target prot opt in out source destination
147K 12M premodules all -- any any anywhere anywhere

Chain INPUT (policy ACCEPT 12892 packets, 2066K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 8240 packets, 624K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 127K packets, 7645K bytes)
pkts bytes target prot opt in out source destination
127K 7645K postmodules all -- any any anywhere anywhere

Chain postmodules (1 references)
pkts bytes target prot opt in out source destination

Chain premodules (1 references)
pkts bytes target prot opt in out source destination

--- --- --- --- --- --- --- --- --- --- --- --- ---

Any good? :-)

nyshtyak · 05-20-2013, 07:20 AM

>2074 124K MASQUERADE all -- any eth0 192.168.24.0/24 anywhere
>1 60 MASQUERADE all -- any eth0 192.168.26.0/24 anywhere
>0 0 MASQUERADE all -- any eth0 192.168.25.0/24 anywhere

Hmm... What is the purpose of these rules in your network? I cannot get why do you use NAT here.

^andrea^ · 05-20-2013, 06:54 PM

I haven't entered those rules manually.
I have configured Zentyal from the web GUI and those are the routes/rules created as a result.

What I can tell you though, is that those three networks are part of
the three openVPN instances I'm "playing" with.

192.168.25.0 is the openvpn network that connects the two LANs (CityM and CityL).

192.168.24.0 is the openvpn network I use as Road Warrior and it works perfectly
allowing access to both LANs (CityM and CityL) when I'm away from home.

192.168.26.0 is another openvpn instance I was playing with
(I can actually turn that off now).

^andrea^ · 05-21-2013, 07:42 AM

nyshtyak, about those rules, in the zentyal openVPN configuration GUI there is an option "Network Address Translation"
with description "Enable it if this VPN server is not the default gateway".

Since my zentyal boxes are not the default gateways I ticked the checkbox.

Anyway, enabling/disabling that option makes no difference.
The CityL network still can't ping the CityM network apart from CityMRouter (192.168.20.1) which I find awkward.
I mean, if it can ping the router it should be able to ping any other host... weird..

Still working on it... :-)

jrober2p · 06-14-2013, 01:45 PM

Hi ^andrea^
I have a similar problem to yours, a difference is i'm connecting two LAN: a) 193.10.10.0/24 b) 193.10.20.0/24,
with STATIC ROUTES, there is a dedicated link (with a data provider) which carries data from A to B.

Side A through B, zero problems, I can see anything.
Side B to A, I can only see router (193.10.10.6) y the server firewall zentyal (193.10.10.3).

I've been looking for a solution and I find some links where there similar issues to yours and mine, this can help us. I share its.
In summary, the problem is in zentyal firewall, since because some reason it does not make the FORWARDING of the packets correctly
between main internal network and subnets.

I leave the links.

zentyal ip_forward
http://forum.zentyal.org/index.php?topic=14738.0
http://forum.zentyal.org/index.php?topic=4287.0.

zentyal overrides ip_forward
https://help.ubuntu.com/12.04/server...erverguide.pdf
http://ideas.zentyal.org/ideatorrent...deas_promoted/
http://ideas.zentyal.org/ideatorrent/random_ideas/4

zentyal forwarding
http://trac.zentyal.org/ticket/5961
http://forum.zentyal.org/index.php?topic=9339.0
http://ideas.zentyal.org/ideatorrent/idea/118/
http://trac.zentyal.org/ticket/3180

THIS LINK LOOKS LIKE A POSSIBLE SOLUTION BECAUSE THE GUY APPARENTLY USES VPN I HE'S MODEL.
Topic: [SOLVED] Firewall configuration with PPTPD - Can't ping from connected hosts.. (Read 1598 times)
http://forum.zentyal.org/index.php?topic=5065.0

Good luck,

jrober2p