My network is composed as follows:
-
Host A with ip 9.x.x.x and vpn ip 192.15.206.x (openvpn client)
-
Host B with ip 9.x.x.x and vpn ip 192.15.206.1 (openvpn server)
this host has a bridge br0 with ip 192.168.206.1 -
Host C with ip 192.168.206.2/192.168.206.255 who lives in the vnet0 of host B.
the vnet0 is bridged with br0
I want reach C from A.
This is what happens:
- From host B I can ping both A (with 9.x.x.x or 192.15.206.x) and C
- From host C I can ping both B and A (with 192.15.206.x)
- From host A I can ping B either with IP 192.15.206.1 or 192.168.206.1 but not C who has IP 192.168.206.2
So the question is why ?
The route table is:
192.15.206.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
9.168.58.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.15.206.0 192.15.206.2 255.255.255.0 UG 0 0 0 tun0
192.168.206.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 br0
0.0.0.0 9.168.58.254 0.0.0.0 UG 0 0 0 eth0
the bridge configuration is:
bridge name bridge id STP enabled interfaces
br0 8000.005056a67d62 no eth1
vnet0
The command:
cat /proc/sys/net/ipv4/ip_forward
returns 1
With tcpdump -i tun0 if i run ping 192.168.206.1 on host A:
14:33:23.927126 IP 192.15.206.6 > 192.168.206.1: ICMP echo request, id 768, seq 513, length 40
14:33:23.927191 IP 192.168.206.1 > 192.15.206.6: ICMP echo reply, id 768, seq 513, length 40
the replay it's sent back. But if i run ping 192.168.206.2 on host A the replay it's not sent back.
14:36:33.262959 IP 192.15.206.6 > 192.168.206.2: ICMP echo request, id 768, seq 1281, length 40
14:36:38.749631 IP 192.15.206.6 > 192.168.206.2: ICMP echo request, id 768, seq 1537, length 40
Seems like the packets arrive from A to B with the tun0 device but these are not forwarded to br0 who should send then the packet to vnet0 that connects the C host.
The problem it's related to iptables, indeed by stopping the iptables service i can ping C from A. I tried this rules without success:
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -o br0 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -o br0 -j ACCEPT
-A FORWARD -i vnet0 -j ACCEPT
-A FORWARD -o vnet0 -j ACCEPT
-A FORWARD -i vnet0 -j ACCEPT
-A FORWARD -o vnet0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o tun0 -j ACCEPT
Any ideas ?
Best Answer
This can be
So check
iptables -L -nv
on B for forwarding andip route
on C.Edit 1
The firewall on B can be configured to let those packets through by e.g.
Of course, you may use source and destination addresses instead (or in addition).
Edit 2
Like: