"One way" routing problems across subnets through openVPN
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
"One way" routing problems across subnets through openVPN
Hi All,
As the title states, I have some routing problems across two subnets joint by openVPN (as the two LANs are in different cities).
The curios thing is that the routing problems affect only some hosts (and their virtual machines) on only one of the two subnets.
Bear with me while I try to explain my setup and debugging methods as clearly and briefly as possible.
As mentioned the two subnets are in different cities.
CityM: 192.168.20.0/24
CityL: 192.168.5.0/24
In each LAN I have a main server (proxmox, Debian based) which I use to run the several virtual machines (either openvz or kvm) I need.
CityMProxmox: 192.168.20.33
CityLProxmox: 192.168.5.33
To join these two networks and share their resources I'm using openVpn.
OpenVpn is not installed on the main servers (I always try to install as little as possible on them)
but it's installed on two Zentyal (Ubuntu 12.04 based) KVM virtual machines which give me some nice features.
CityMZentyal: 192.168.20.176
CityLZentyal: 192.168.5.176
In the OpenVpn configuration, CityMZentyal is the server with IP 192.168.25.1,
while CityLZentyal is the client with IP 192.168.25.2.
From CityM I can do anything.
From CityL I can connect to some machines like the router (192.168.20.1) and CityMZentyal (at the address 192.168.20.176)
but not CityMProxmox (or any of its virtual machines).
To focus on one problem I started to debug the issue between the two main servers.
The other strange thing for me is that TRACEROUTE works as expected both ways.
Traceroute "FROM CityMProxmox TO CityLProxmox":
root@CityMProxmox:~# traceroute 192.168.5.33
traceroute to 192.168.5.33 (192.168.5.33), 30 hops max, 60 byte packets
1 192.168.20.1 (192.168.20.1) 0.344 ms 0.457 ms 0.573 ms
2 192.168.20.176 (192.168.20.176) 0.943 ms 0.972 ms 1.083 ms
3 192.168.25.2 (192.168.25.2) 53.017 ms 60.363 ms 60.560 ms
4 192.168.5.33 (192.168.5.33) 60.680 ms 62.028 ms 62.227 ms
Traceroute "FROM CityLProxmox TO CityMProxmox":
root@CityLProxmox:~# traceroute 192.168.20.33
traceroute to 192.168.20.33 (192.168.20.33), 30 hops max, 60 byte packets
1 192.168.5.1 (192.168.5.1) 0.434 ms 0.540 ms 0.722 ms
2 192.168.5.176 (192.168.5.176) 1.263 ms 1.322 ms 1.351 ms
3 192.168.25.1 (192.168.25.1) 55.348 ms 55.035 ms 55.740 ms
4 192.168.20.33 (192.168.20.33) 56.737 ms 56.862 ms 57.148 ms
At this point I've started playing with TCPDUMP to figure out where the packets get lost and I've found out that,
the pings are actually reaching CityMProxmox but get lost on the way back.
In fact on CityMProxmox I get:
root@CityMProxmox:~# tcpdump -nnSi vmbr0 icmp and \(src 192.168.5.33 or dst 192.168.5.33\)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
02:43:03.777090 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 38376, seq 1, length 64
02:43:03.777107 IP 192.168.20.33 > 192.168.5.33: ICMP echo reply, id 38376, seq 1, length 64
02:43:04.776495 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 38376, seq 2, length 64
02:43:04.776510 IP 192.168.20.33 > 192.168.5.33: ICMP echo reply, id 38376, seq 2, length 64
02:43:05.776549 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 38376, seq 3, length 64
02:43:05.776565 IP 192.168.20.33 > 192.168.5.33: ICMP echo reply, id 38376, seq 3, length 64
02:43:06.776844 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 38376, seq 4, length 64
02:43:06.776859 IP 192.168.20.33 > 192.168.5.33: ICMP echo reply, id 38376, seq 4, length 64
02:43:07.776599 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 38376, seq 5, length 64
02:43:07.776615 IP 192.168.20.33 > 192.168.5.33: ICMP echo reply, id 38376, seq 5, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
root@CityMZentyal:~# tcpdump -nnSi any icmp and \(src 192.168.5.33 or dst 192.168.5.33\)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
02:59:48.729392 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 47003, seq 1, length 64
02:59:48.729420 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 47003, seq 1, length 64
02:59:49.729116 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 47003, seq 2, length 64
02:59:49.729130 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 47003, seq 2, length 64
02:59:50.728862 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 47003, seq 3, length 64
02:59:50.728876 IP 192.168.5.33 > 192.168.20.33: ICMP echo request, id 47003, seq 3, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
NO "ICMP echo reply"! There are the REQUESTS ONLY!
(The packets are showing up twice as I put "-i any". They probably appear on different interfaces therefore I believe it's correct).
As far as I know there shouldn't be any firewall in the way blocking the traffic.
What puzzles me is the fact that if I ping FROM CityMZentyal TO CityLZentyal everything looks good but, if I do the opposite,
the packets can't find their way back.
How come?
Can anyone suggest me a way to debug this further? (or better?)
Any idea would be much appreciated!
If you managed to read up to this point, WOW! Thanks! :-)
I'd check that IP forwarding is enabled on CityMZentyal.
Than it could be good idea to compare routing tables for similar servers on both sides (proxmoxM/proxmoxL, zentyalM/zentyalL). If you have symmetrical configuration your routes should be symmetrical too.
Don't be confused with ping/traceroute behavior difference. These utilities work in a slightly different manner.
What I can add is that I configured the routers in the two networks to redirect packets to the internal subnets.
CityMRouter: 192.168.20.1
CityLRouter: 192.168.5.1
Unfortunately CityMRouter is a standard TP-Link (TL-WR1043ND) so I can't debug it with tcpdump, otherwise I would.
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- 106.186.16.21 0.0.0.0/0
DROP all -- 186.226.83.3 0.0.0.0/0
DROP all -- 190.145.3.91 0.0.0.0/0
DROP all -- 14.63.160.54 0.0.0.0/0
DROP all -- 60.168.158.18 0.0.0.0/0
DROP all -- 188.138.89.72 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- 213.149.117.244 0.0.0.0/0
DROP all -- 210.56.24.183 0.0.0.0/0
DROP all -- 184.168.109.205 0.0.0.0/0
DROP all -- 223.5.3.200 0.0.0.0/0
DROP all -- 61.142.106.34 0.0.0.0/0
DROP all -- 125.22.76.77 0.0.0.0/0
DROP all -- 211.172.247.48 0.0.0.0/0
DROP all -- 216.19.223.55 0.0.0.0/0
DROP all -- 188.138.33.107 0.0.0.0/0
DROP all -- 27.254.62.34 0.0.0.0/0
DROP all -- 194.90.47.216 0.0.0.0/0
DROP all -- 119.36.186.44 0.0.0.0/0
DROP all -- 116.127.121.77 0.0.0.0/0
DROP all -- 50.115.44.242 0.0.0.0/0
DROP all -- 219.84.223.8 0.0.0.0/0
DROP all -- 117.21.182.50 0.0.0.0/0
DROP all -- 119.1.159.54 0.0.0.0/0
DROP all -- 117.239.105.115 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
CityMZentyal iptables:
root@CityMZentyal:~# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
preinput all -- 0.0.0.0/0 0.0.0.0/0
idrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
inospoof all -- 0.0.0.0/0 0.0.0.0/0
iexternalmodules all -- 0.0.0.0/0 0.0.0.0/0
iexternal all -- 0.0.0.0/0 0.0.0.0/0
inoexternal all -- 0.0.0.0/0 0.0.0.0/0
imodules all -- 0.0.0.0/0 0.0.0.0/0
iintservs all -- 0.0.0.0/0 0.0.0.0/0
iglobal all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
idrop all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
preforward all -- 0.0.0.0/0 0.0.0.0/0
fdrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
fnospoof all -- 0.0.0.0/0 0.0.0.0/0
fredirects all -- 0.0.0.0/0 0.0.0.0/0
fmodules all -- 0.0.0.0/0 0.0.0.0/0
ffwdrules all -- 0.0.0.0/0 0.0.0.0/0
fnoexternal all -- 0.0.0.0/0 0.0.0.0/0
fdns all -- 0.0.0.0/0 0.0.0.0/0
fobjects all -- 0.0.0.0/0 0.0.0.0/0
fglobal all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
fdrop all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
preoutput all -- 0.0.0.0/0 0.0.0.0/0
odrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ointernal all -- 0.0.0.0/0 0.0.0.0/0
omodules all -- 0.0.0.0/0 0.0.0.0/0
oglobal all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
odrop all -- 0.0.0.0/0 0.0.0.0/0
Chain drop (4 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 50/min burst 10 LOG flags 0 level 7 prefix "ebox-firewall drop "
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain fdns (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
Chain fdrop (3 references)
target prot opt source destination
drop all -- 0.0.0.0/0 0.0.0.0/0
Chain ffwdrules (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.24.0/24 0.0.0.0/0
ACCEPT all -- 192.168.25.0/24 0.0.0.0/0
ACCEPT all -- 192.168.20.0/24 0.0.0.0/0
ACCEPT all -- 192.168.5.0/24 0.0.0.0/0
Chain idrop (2 references)
target prot opt source destination
drop all -- 0.0.0.0/0 0.0.0.0/0
Chain iexternal (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.24.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.25.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.5.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.20.0/24 0.0.0.0/0 state NEW
Chain iglobal (1 references)
target prot opt source destination
ACCEPT all -- 192.168.24.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.25.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.5.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.20.0/24 0.0.0.0/0 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8880 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8880 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8464 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8464 state NEW
drop tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:390 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6895 state NEW
Chain odrop (2 references)
target prot opt source destination
drop all -- 0.0.0.0/0 0.0.0.0/0
Chain oglobal (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
Chain ointernal (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:67
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 176.34.155.79 state NEW tcp dpt:1194
ACCEPT udp -- 0.0.0.0/0 176.34.137.90 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 176.34.153.83 state NEW tcp dpt:443
CityLZentyal iptables:
root@CityLZentyal:~# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
preinput all -- 0.0.0.0/0 0.0.0.0/0
idrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
inospoof all -- 0.0.0.0/0 0.0.0.0/0
iexternalmodules all -- 0.0.0.0/0 0.0.0.0/0
iexternal all -- 0.0.0.0/0 0.0.0.0/0
inoexternal all -- 0.0.0.0/0 0.0.0.0/0
imodules all -- 0.0.0.0/0 0.0.0.0/0
iintservs all -- 0.0.0.0/0 0.0.0.0/0
iglobal all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
idrop all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
preforward all -- 0.0.0.0/0 0.0.0.0/0
fdrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
fnospoof all -- 0.0.0.0/0 0.0.0.0/0
fredirects all -- 0.0.0.0/0 0.0.0.0/0
fmodules all -- 0.0.0.0/0 0.0.0.0/0
ffwdrules all -- 0.0.0.0/0 0.0.0.0/0
fnoexternal all -- 0.0.0.0/0 0.0.0.0/0
fdns all -- 0.0.0.0/0 0.0.0.0/0
fobjects all -- 0.0.0.0/0 0.0.0.0/0
fglobal all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
fdrop all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
preoutput all -- 0.0.0.0/0 0.0.0.0/0
odrop all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ointernal all -- 0.0.0.0/0 0.0.0.0/0
omodules all -- 0.0.0.0/0 0.0.0.0/0
oglobal all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
ACCEPT icmp !f 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
odrop all -- 0.0.0.0/0 0.0.0.0/0
Chain drop (4 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 50/min burst 10 LOG flags 0 level 7 prefix "ebox-firewall drop "
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain fdns (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
Chain fdrop (3 references)
target prot opt source destination
drop all -- 0.0.0.0/0 0.0.0.0/0
Chain ffwdrules (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.25.0/24 0.0.0.0/0
ACCEPT all -- 192.168.5.0/24 0.0.0.0/0
ACCEPT all -- 192.168.20.0/24 0.0.0.0/0
Chain idrop (2 references)
target prot opt source destination
drop all -- 0.0.0.0/0 0.0.0.0/0
Chain iexternal (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.25.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.5.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.20.0/24 0.0.0.0/0 state NEW
Chain iglobal (1 references)
target prot opt source destination
ACCEPT all -- 192.168.25.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.5.0/24 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.20.0/24 0.0.0.0/0 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8880 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8880 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8464 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8464 state NEW
drop tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:390 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6895 state NEW
Chain odrop (2 references)
target prot opt source destination
drop all -- 0.0.0.0/0 0.0.0.0/0
Chain oglobal (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
Chain ointernal (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:67
ACCEPT udp -- 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 10.6.7.1 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 10.6.7.1 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.100.254 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 54.246.132.36 state NEW tcp dpt:1194
ACCEPT udp -- 0.0.0.0/0 176.34.137.90 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 176.34.153.83 state NEW tcp dpt:443
CityMZentyal iptables:
root@CityMZentyal:~# iptables -L -vt nat
Chain PREROUTING (policy ACCEPT 14267 packets, 1840K bytes)
pkts bytes target prot opt in out source destination
14267 1840K premodules all -- any any anywhere anywhere
Chain INPUT (policy ACCEPT 4598 packets, 667K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1594 packets, 103K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5337 packets, 296K bytes)
pkts bytes target prot opt in out source destination
7414 421K postmodules all -- any any anywhere anywhere
Chain postmodules (1 references)
pkts bytes target prot opt in out source destination
2074 124K MASQUERADE all -- any eth0 192.168.24.0/24 anywhere
1 60 MASQUERADE all -- any eth0 192.168.26.0/24 anywhere
0 0 MASQUERADE all -- any eth0 192.168.25.0/24 anywhere
Chain premodules (1 references)
pkts bytes target prot opt in out source destination
>2074 124K MASQUERADE all -- any eth0 192.168.24.0/24 anywhere
>1 60 MASQUERADE all -- any eth0 192.168.26.0/24 anywhere
>0 0 MASQUERADE all -- any eth0 192.168.25.0/24 anywhere
Hmm... What is the purpose of these rules in your network? I cannot get why do you use NAT here.
I haven't entered those rules manually.
I have configured Zentyal from the web GUI and those are the routes/rules created as a result.
What I can tell you though, is that those three networks are part of
the three openVPN instances I'm "playing" with.
192.168.25.0 is the openvpn network that connects the two LANs (CityM and CityL).
192.168.24.0 is the openvpn network I use as Road Warrior and it works perfectly
allowing access to both LANs (CityM and CityL) when I'm away from home.
192.168.26.0 is another openvpn instance I was playing with
(I can actually turn that off now).
nyshtyak, about those rules, in the zentyal openVPN configuration GUI there is an option "Network Address Translation"
with description "Enable it if this VPN server is not the default gateway".
Since my zentyal boxes are not the default gateways I ticked the checkbox.
Anyway, enabling/disabling that option makes no difference.
The CityL network still can't ping the CityM network apart from CityMRouter (192.168.20.1) which I find awkward.
I mean, if it can ping the router it should be able to ping any other host... weird..
Hi ^andrea^
I have a similar problem to yours, a difference is i'm connecting two LAN: a) 193.10.10.0/24 b) 193.10.20.0/24,
with STATIC ROUTES, there is a dedicated link (with a data provider) which carries data from A to B.
Side A through B, zero problems, I can see anything.
Side B to A, I can only see router (193.10.10.6) y the server firewall zentyal (193.10.10.3).
I've been looking for a solution and I find some links where there similar issues to yours and mine, this can help us. I share its.
In summary, the problem is in zentyal firewall, since because some reason it does not make the FORWARDING of the packets correctly
between main internal network and subnets.
THIS LINK LOOKS LIKE A POSSIBLE SOLUTION BECAUSE THE GUY APPARENTLY USES VPN I HE'S MODEL.
Topic: [SOLVED] Firewall configuration with PPTPD - Can't ping from connected hosts.. (Read 1598 times) http://forum.zentyal.org/index.php?topic=5065.0
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.