LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-07-2014, 01:31 AM   #1
IICUX
LQ Newbie
 
Registered: Jun 2012
Posts: 11

Rep: Reputation: Disabled
Routing between network interfaces


I have a problem. I have two local networks and whant connect they using openvpn. One network "server" based on debian. As another server used asus wl500gp-v2. On debian machine installed openvpn server, on router - client. Openvpn works perfect, connection working. Also I can connect to network behind debian machine.

About problem - I can't reach machines behind asus router. So routing between tunnel->local_network not working.

My configuration:
Debian_local_network: 10.0.10.0/24
Openvpn network: 172.17.1.0/24
Router_local_network: 172.16.2.0/24

Debian_openvpn_ip: 172.17.1.1
Router_openvpn_ip: 172.17.1.2

I can ping 172.16.2.1 router interface, but can't 172.16.2.2 machine.

iptables on router:
Code:
# Generated by iptables-save v1.3.8 on Fri Feb  7 09:29:48 2014
*nat
:PREROUTING ACCEPT [756:68596]
:POSTROUTING ACCEPT [1059:342712]
:OUTPUT ACCEPT [1115:357278]
:VSERVER - [0:0]
-A PREROUTING -d 92.49.213.248 -j VSERVER 
-A POSTROUTING -s ! 92.49.213.248 -o ppp0 -j MASQUERADE 
-A POSTROUTING -s 172.16.2.0/255.255.255.0 -d 172.16.2.0/255.255.255.0 -o br0 -j MASQUERADE 
-A VSERVER -p udp -m udp --dport 18432 -j DNAT --to-destination 192.168.1.153:18432 
-A VSERVER -p tcp -m tcp --dport 18432 -j DNAT --to-destination 192.168.1.153:18432 
-A VSERVER -p udp -m udp --dport 4500 -j DNAT --to-destination 192.168.1.153:4500 
-A VSERVER -p udp -m udp --dport 5353 -j DNAT --to-destination 192.168.1.153:5353 
-A VSERVER -p udp -m udp --dport 64694 -j DNAT --to-destination 172.16.2.2:64694 
-A VSERVER -p tcp -m tcp --dport 64694 -j DNAT --to-destination 172.16.2.2:64694 
-A VSERVER -p udp -m udp --dport 42387 -j DNAT --to-destination 172.16.2.178:42387 
-A VSERVER -p tcp -m tcp --dport 42387 -j DNAT --to-destination 172.16.2.178:42387 
-A VSERVER -p tcp -m tcp --dport 3389 -j DNAT --to-destination 172.16.2.2:3389 
COMMIT
# Completed on Fri Feb  7 09:29:48 2014
# Generated by iptables-save v1.3.8 on Fri Feb  7 09:29:48 2014
*mangle
:PREROUTING ACCEPT [16810:4490591]
:INPUT ACCEPT [16792:4489643]
:FORWARD ACCEPT [18:948]
:OUTPUT ACCEPT [15905:4394708]
:POSTROUTING ACCEPT [26496:8302698]
COMMIT
# Completed on Fri Feb  7 09:29:48 2014
# Generated by iptables-save v1.3.8 on Fri Feb  7 09:29:48 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15853:4381347]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i tun0 -m state --state NEW -j ACCEPT 
-A INPUT -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -m state --state NEW -j ACCEPT 
-A INPUT -i br0 -m state --state NEW -j ACCEPT 
-A INPUT -i ppp0 -m state --state NEW -j SECURITY 
-A INPUT -i vlan1 -m state --state NEW -j SECURITY 
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j BRUTE 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -p udp -m udp --dport 33434:33534 -j ACCEPT 
-A INPUT -j DROP 
-A FORWARD -i tun0 -o br0 -j ACCEPT 
-A FORWARD -i br0 -o tun0 -j ACCEPT 
-A FORWARD -i br0 -o br0 -j ACCEPT 
-A FORWARD -m state --state INVALID -j DROP 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i ! br0 -o ppp0 -j DROP 
-A FORWARD -i ! br0 -o vlan1 -j DROP 
-A FORWARD -i ! br0 -m state --state NEW -j SECURITY 
-A FORWARD -o br0 -p tcp -m tcp --sport 3389 --dport 3389 -j ACCEPT 
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT 
-A FORWARD -o br0 -j DROP 
-A BRUTE -m recent --update --seconds 600 --hitcount 3 --name BRUTE --rsource -j DROP 
-A BRUTE -m recent --set --name BRUTE --rsource -j ACCEPT 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN 
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN 
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN 
-A SECURITY -j DROP 
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options 
-A logaccept -j ACCEPT 
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 
-A logdrop -j DROP 
COMMIT
# Completed on Fri Feb  7 09:29:48 2014
 
Old 02-07-2014, 03:03 AM   #2
myatthu
Member
 
Registered: Jan 2014
Distribution: CentOS, Fedora, Ubuntu
Posts: 108

Rep: Reputation: 18
Do you enable ip_forward?

Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
sed -i -e '/net.ipv4.ip_forward/ s/0/1/' /etc/sysctl.conf
 
Old 02-07-2014, 04:57 AM   #3
IICUX
LQ Newbie
 
Registered: Jun 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
I need another commands for routing enabling, but yes enabled. ppp0 to br0 routing works
 
Old 02-07-2014, 05:00 AM   #4
myatthu
Member
 
Registered: Jan 2014
Distribution: CentOS, Fedora, Ubuntu
Posts: 108

Rep: Reputation: 18
You may need to route back from server network.
Code:
route add -net 10.0.10.0/24 gw 172.16.2.1
 
Old 02-07-2014, 05:02 AM   #5
IICUX
LQ Newbie
 
Registered: Jun 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
And this added too. Seems as something block rules in iptables, like some firewall rules
 
Old 02-07-2014, 05:06 AM   #6
myatthu
Member
 
Registered: Jan 2014
Distribution: CentOS, Fedora, Ubuntu
Posts: 108

Rep: Reputation: 18
Can you try to add this rule. $_VPN_NET replace with your network.
Code:
-I FORWARD 1 --source '"$_VPN_NET"'/24 -j ACCEPT
 
Old 02-07-2014, 05:10 AM   #7
IICUX
LQ Newbie
 
Registered: Jun 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Not working. Can't access
 
Old 02-07-2014, 05:13 AM   #8
myatthu
Member
 
Registered: Jan 2014
Distribution: CentOS, Fedora, Ubuntu
Posts: 108

Rep: Reputation: 18
can you tracepath? Another thing is are you running asus router as gateway mode or router mode?

Last edited by myatthu; 02-07-2014 at 05:15 AM.
 
Old 02-07-2014, 05:25 AM   #9
IICUX
LQ Newbie
 
Registered: Jun 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
From debian network to router network
Code:
traceroute to 172.16.2.2 (172.16.2.2), 64 hops max, 52 byte packets
 1  10.0.10.1 (10.0.10.1)  0.342 ms  0.149 ms  0.117 ms
 2  172.17.1.2 (172.17.1.2)  129.724 ms  121.094 ms  133.179 ms
 3  * * *
 4  * * *
 5  * * *
.............
from router network to debian network
Code:
traceroute to 10.0.10.2 (10.0.10.2), 30 hops max, 38 byte packets
 1  172.16.2.1 (172.16.2.1)  1.342 ms  1.150 ms  1.120 ms
 2  172.17.1.1 (172.17.1.1)  152.326 ms  128.610 ms  148.166 ms
 3  10.0.10.2 (10.0.10.2)  199.190 ms  149.686 ms  158.252 ms
Router used in gateway mode (3g connection to internet, openvpn runs from init.d script)
 
Old 02-07-2014, 10:40 AM   #10
myatthu
Member
 
Registered: Jan 2014
Distribution: CentOS, Fedora, Ubuntu
Posts: 108

Rep: Reputation: 18
Let me confirm something your VPN server network is behind Debian (172.17.1.1). Your sever network is 10.0.10.0/24. You can reach to 10.0.10.2 private server(based on the traceroute).
Can you access like web server at 10.0.10.2?

Last edited by myatthu; 02-07-2014 at 10:58 AM.
 
Old 02-07-2014, 10:58 AM   #11
IICUX
LQ Newbie
 
Registered: Jun 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
How I can show you this rules? iptables in first post from this machine
 
Old 02-07-2014, 05:25 PM   #12
myatthu
Member
 
Registered: Jan 2014
Distribution: CentOS, Fedora, Ubuntu
Posts: 108

Rep: Reputation: 18
At Router (172.16.2.1)
We added one forwarding rule. I would like to check current rules.
Code:
iptables -vnL
Check current routing table
Code:
netstat -nr
At Client (172.16.2.2)
Try tcpdump, while continuous ping from 10.0.10.2
Code:
tcpdump -vn -i <interface> icmp
Can you also share with me openvpn server config and client file .ovpn of router? Pls omit sensitive data.

Last edited by myatthu; 02-07-2014 at 06:01 PM.
 
Old 02-08-2014, 01:55 AM   #13
IICUX
LQ Newbie
 
Registered: Jun 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
iptables -vnL
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   62  4028 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           state NEW 
  529 39012 ACCEPT     tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    4   326 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
19285 2234K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW 
22226 7833K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW 
 2474  187K SECURITY   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 SECURITY   all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 
   98  4540 BRUTE      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 flags:0x17/0x02 
   25   900 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33534 
 2345  182K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 892 packets, 68531 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  217 16069 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.2.2          tcp dpt:64694 
   93  8225 ACCEPT     udp  --  *      *       0.0.0.0/0            172.16.2.2          udp dpt:64694 
    0     0 ACCEPT     all  --  *      *       10.10.10.0/24        0.0.0.0/0           
   17  1428 ACCEPT     all  --  *      *       172.17.1.0/24        0.0.0.0/0           
 6269  456K ACCEPT     all  --  tun0   br0     0.0.0.0/0            0.0.0.0/0           
 6735 6071K ACCEPT     all  --  br0    tun0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
 2873  147K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
 169K  102M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       all  --  !br0   ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  !br0   vlan1   0.0.0.0/0            0.0.0.0/0           
  765 38805 SECURITY   all  --  !br0   *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 ACCEPT     tcp  --  *      br0     0.0.0.0/0            0.0.0.0/0           tcp spt:3389 dpt:3389 
  765 38805 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT 
    0     0 DROP       all  --  *      br0     0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 43020 packets, 17M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain BRUTE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   36  1808 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: UPDATE seconds: 600 hit_count: 3 name: BRUTE side: source 
   62  2732 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: BRUTE side: source 

Chain MACS (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain SECURITY (3 references)
 pkts bytes target     prot opt in     out     source               destination         
 2416  122K RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 
  792  103K RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 
   25   900 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 
    6   360 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 7 level 4 prefix `ACCEPT ' 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 7 level 4 prefix `DROP ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
netstat -nr
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
172.25.6.2      0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
172.16.2.0      0.0.0.0         255.255.255.0   U         0 0          0 br0
10.0.10.0       172.17.1.1      255.255.255.0   UG        0 0          0 tun0
172.17.1.0      0.0.0.0         255.255.255.0   U         0 0          0 tun0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         172.25.6.2      0.0.0.0         UG        0 0          0 ppp0
tcpdump can't add at this moment - machine more than 20km fom me. Also when I added port forwarding rule in router web I can connect to this port on 172.16.2.2. So seems as firewall rules blocking incoming connections.
 
Old 02-08-2014, 04:42 AM   #14
myatthu
Member
 
Registered: Jan 2014
Distribution: CentOS, Fedora, Ubuntu
Posts: 108

Rep: Reputation: 18
Am I right to say that you port forward to the port 64694? Since you can port forward 64694, if your 172.16.2.2 is linux box, you should port forward ssh port too.

At router,
Code:
iptables -t nat -vnL
Once you can access to 172.16.2.2, let me have iptables and routing table of that box.
Code:
iptables -vnL
netstat -nr

Last edited by myatthu; 02-08-2014 at 05:32 AM.
 
Old 02-08-2014, 06:25 AM   #15
IICUX
LQ Newbie
 
Registered: Jun 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
I forwarded 3389 port.
Code:
    0     0 ACCEPT     tcp  --  *      br0     0.0.0.0/0            0.0.0.0/0           tcp spt:3389 dpt:3389
And then RDP start working.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] /etc/network/interfaces configuration for virtual interfaces nonshatter Linux - Networking 4 10-25-2010 06:22 AM
IP Routing between interfaces. mpr104 Linux - Networking 2 11-05-2006 01:19 AM
Routing between 2 interfaces? m4rk0 Linux - Networking 18 03-08-2006 01:08 AM
Routing between interfaces? cryptical Linux - Networking 13 08-18-2004 07:29 AM
Problem with routing between interfaces Kostko Linux - Networking 6 12-01-2003 01:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration