Can not ping from router , but client ping OK

changchichung · March 13, 2019, 8:11am

hereis is the firewall policy /etc/firewall.user

iptables -F
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.35.30/32 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.35.40/32 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.35.7/32 -j MASQUERADE
iptables --delete-chain forward
iptables --delete-chain forward_fule
iptables --delete-chain input
iptables --delete-chain input_rule
iptables --delete-chain output
iptables --delete-chain output_rule
iptables -A INPUT --src 127.0.0.1  -j ACCEPT
iptables -A INPUT --src 192.168.35.254 -j ACCEPT
### Eric
iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT
### test for client access
iptables -P FORWARD ACCEPT
#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.35.0/24 -j MASQUERADE
###
iptables -A OUTPUT  -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT  -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53  -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3128  -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 3128 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
                                                                                  
iptables -A INPUT --src 192.168.35.0/255.255.255.0 -p tcp -m multiport -i br-lan  --destination-ports 22,23,53,80,3128 -j ACCEPT
iptables -A INPUT --src 192.168.35.0/255.255.255.0 -p tcp -m multiport -i br-lan  --source-ports 37 -m state --state ESTABLISHED  -j ACCEPT
iptables -A INPUT --src 192.168.35.0/255.255.255.0 -p icmp -m limit --limit 90/second -i br-lan -j ACCEPT                                  
iptables -A INPUT --src 192.168.35.0/255.255.255.0 -p icmp -i br-lan -j ACCEPT                                                             
iptables -A INPUT --src 192.168.35.0/255.255.255.0 -p icmp -i br-lan -j ACCEPT                                                             
                                                                                                                                           
ipset destroy bo_nets                                                                                                                      
ipset destroy bo_gws                                                                                                                       
ipset destroy bo_gw_nets                                                                                                                   
                                                                                                                                           
ipset -N bo_nets hash:net                                                                                                                  
ipset -N bo_gws hash:ip                                                                                                                    
ipset -N bo_gw_nets hash:net                                                                                                               
ipset -A bo_gw_nets 27.105.68.0/24                                                                                                         
ipset -A bo_gw_nets 27.105.100.0/24                                                                                                        
ipset -A bo_gw_nets 219.84.236.0/24                                                                                                        
ipset -A bo_gw_nets 219.85.24.0/24                                                                                                         
ipset -A bo_gw_nets 61.56.138.0/24                                                                                                         
ipset -A bo_gw_nets 219.85.36.0/24                                                                                                         
ipset -A bo_gw_nets 219.85.16.0/24                                                                                                         
ipset -A bo_gw_nets 61.64.120.0/24                                                                                                         
                                                                                                                                           
ipset -A bo_nets 192.168.70.0/24                                                                                                           
ipset -A bo_nets 192.168.60.0/24                                                                                                           
ipset -A bo_nets 192.168.22.0/24                                                                                                           
ipset -A bo_nets 192.168.34.0/24                                                                                                           
ipset -A bo_nets 192.168.20.0/24                                                                                                           
ipset -A bo_nets 192.168.25.0/24                                                                                                           
ipset -A bo_nets 192.168.40.0/24                                                                                                           
ipset -A bo_nets 192.168.0.0/24                                                                                                            
ipset -A bo_nets 192.168.1.0/24                                                                                                            
ipset -A bo_nets 192.168.28.0/24                                                                                                           
ipset -A bo_nets 192.168.23.0/24                                                                                                           
ipset -A bo_nets 192.168.11.0/24                                                                                                           
ipset -A bo_nets 192.168.111.0/24                                                                                                          
ipset -A bo_nets 192.168.80.0/24                                       
ipset -A bo_gws 61.56.138.74                                                                                                               
ipset -A bo_gws 219.84.236.179                                                                                                             
ipset -A bo_gws 219.84.236.178                                                                                                             
ipset -A bo_gws 27.105.100.19                                                                                                              
ipset -A bo_gws 219.85.16.196                                                                                                              
ipset -A bo_gws 27.105.68.44                                                                                                               
ipset -A bo_gws 219.85.36.45                                                                                                               
ipset -A bo_gws 61.64.120.160                                                                                                              
ipset -A bo_gws 219.84.236.121                                                                                                             
                                                                                                                                           
                                                                                                                                           
iptables -A INPUT -m set --match-set bo_gws src  -i eth1 -p udp  --sport 500 --dport 500 -j ACCEPT                                         
iptables -A INPUT -m set --match-set bo_gws src  -i eth1 -p 50 -j ACCEPT                                                                   
                                                                                                                                           
iptables -A OUTPUT -p tcp --dport 3128  -m state --state NEW,ESTABLISHED -j ACCEPT                                                         
iptables -A INPUT -p tcp --sport 3128 -m state --state ESTABLISHED -j ACCEPT                                                               
iptables -A FORWARD -m set  --match-set bo_nets src -i ipsec0 -p icmp -m limit --limit=90/second -j ACCEPT                                 
iptables -A INPUT  -m set  --match-set bo_nets src  -i ipsec0 -p icmp -m limit --limit=90/second -j ACCEPT                                 
iptables -A FORWARD -m set  --match-set bo_nets dst -i br-lan -p icmp -m limit --limit=90/second -j ACCEPT                                 
iptables -A FORWARD -m set --match-set bo_gw_nets src -i ipsec0 -p icmp -m limit --limit=90/second -j ACCEPT                               
iptables -A FORWARD -m set --match-set bo_gw_nets dst -i br-lan  -p icmp -m limit --limit=90/second -j ACCEPT                              
iptables -A INPUT -m set  --match-set bo_nets src -p tcp -m multiport -i ipsec0  --destination-ports 22,80  -j ACCEPT                      
iptables -A FORWARD -m set  --match-set bo_nets src --dst 192.168.35.0/24  -p tcp -i ipsec0 -j ACCEPT                                      
iptables -A FORWARD -m set  --match-set bo_nets src --dst 192.168.35.0/24  -p udp -i ipsec0 -j ACCEPT                                      
iptables -A FORWARD --src 192.168.35.0/24  -m set  --match-set bo_nets dst  -p tcp -i br-lan   -j ACCEPT                                   
iptables -A FORWARD  --src 192.168.35.0/24 -m set  --match-set bo_nets dst  -p udp -i br-lan   -j ACCEPT

that policy were configured 5 or 6 years ago , and nobody knows the logic now .
I try to ping from the router to other machine in vpn , always 100% packet loss ,

root@OpenWrt:~# ping 192.168.11.34
PING 192.168.11.34 (192.168.11.34): 56 data bytes
^C
--- 192.168.11.34 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~#

but I can ping from router to internet

root@OpenWrt:~# ping 168.95.1.1
PING 168.95.1.1 (168.95.1.1): 56 data bytes
64 bytes from 168.95.1.1: seq=0 ttl=245 time=7.744 ms
64 bytes from 168.95.1.1: seq=1 ttl=245 time=7.968 ms
64 bytes from 168.95.1.1: seq=2 ttl=245 time=9.032 ms
64 bytes from 168.95.1.1: seq=3 ttl=245 time=10.188 ms
^C
--- 168.95.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 7.744/8.733/10.188 ms
root@OpenWrt:~#

and other client in the same lan with the router can ping to the remote client

 ping 192.168.11.34
PING 192.168.11.34 (192.168.11.34) 56(84) bytes of data.
64 bytes from 192.168.11.34: icmp_seq=1 ttl=60 time=14.1 ms
64 bytes from 192.168.11.34: icmp_seq=2 ttl=60 time=13.7 ms
64 bytes from 192.168.11.34: icmp_seq=3 ttl=60 time=13.6 ms
64 bytes from 192.168.11.34: icmp_seq=4 ttl=60 time=13.8 ms
^C
--- 192.168.11.34 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 13.664/13.841/14.105/0.186 ms
2019-03-13 16:10:22 [minion@jms007 ~]$

how should I change the policy to let the router can ping to other machines via VPN ?

lleachii · March 13, 2019, 8:19am

What does /etc/config/firewall show?

vgaetera · March 13, 2019, 9:05am

It seems you don't want to use OpenWrt native firewall rules.

ip a; ip r; ip ru; iptables-save

changchichung · March 13, 2019, 11:04am

root@OpenWrt:~# cat /etc/config/firewall 
config defaults
	option syn_flood	1
	option input	        REJECT	
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config include
	option path /etc/firewall.user
	
root@OpenWrt:~#

lleachii · March 13, 2019, 2:39pm

Whoa!

all the default configs are missing
your issue seems to be a general iptables question, unrelated to OpenWrt

changchichung · March 14, 2019, 12:26am

yup , all firewall settings stored in /etc/firewall.user ..
my first through was the same as what you said , it`s a iptables question , but when I stop the firewall by /etc/init.d/firewall stop , vpn tunnels still up , and iptables should not work , right ? even that , I still can not ping to remote machine in router , and the client in same lan with router can ping to remote machine . that sounds like not related to iptables ??

so , if firewall was disable . what else configuration should I check to let the router can connect to remote ?

changchichung · March 14, 2019, 1:10am

ip a; ip r;ip ru; iptables-save

root@OpenWrt:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br-lan state UP qlen 1000
    link/ether 4c:e6:76:c4:e7:08 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 4c:e6:76:c4:e7:0a brd ff:ff:ff:ff:ff:ff
    inet 127.205.100.19/24 brd 127.205.100.255 scope global eth1
    inet6 fe80::4ee6:76ff:fec4:e70a/64 scope link 
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 4c:e6:76:c4:e7:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.28.254/24 brd 192.168.28.255 scope global br-lan
    inet6 fe80::4ee6:76ff:fec4:e708/64 scope link 
       valid_lft forever preferred_lft forever
7: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 10
    link/ether 4c:e6:76:c4:e7:0a brd ff:ff:ff:ff:ff:ff
    inet 127.205.100.19/32 scope global ipsec0
    inet6 fe80::4ee6:76ff:fec4:e70a/128 scope link 
       valid_lft forever preferred_lft forever
8: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
    link/void 
root@OpenWrt:~# ip r
default via 127.205.100.254 dev eth1  proto static 
127.205.68.0/24 via 127.205.100.254 dev eth1  proto static 
127.205.100.0/24 dev eth1  proto kernel  scope link  src 127.205.100.19 
161.156.138.0/24 via 127.205.100.254 dev eth1  proto static 
161.164.120.0/24 via 127.205.100.254 dev eth1  proto static 
192.168.0.0/24 dev ipsec0  scope link 
192.168.1.0/24 dev ipsec0  scope link 
192.168.11.0/24 dev ipsec0  scope link 
192.168.20.0/24 dev ipsec0  scope link 
192.168.22.0/24 dev ipsec0  scope link 
192.168.23.0/24 dev ipsec0  scope link 
192.168.25.0/24 dev ipsec0  scope link 
192.168.28.0/24 dev br-lan  proto kernel  scope link  src 192.168.28.254 
192.168.34.0/24 dev ipsec0  scope link 
192.168.35.0/24 dev ipsec0  scope link 
192.168.40.0/24 dev ipsec0  scope link 
192.168.50.0/24 dev ipsec0  scope link 
192.168.60.0/24 dev ipsec0  scope link 
192.168.70.0/24 dev ipsec0  scope link 
192.168.80.0/24 dev ipsec0  scope link 
192.168.111.0/24 dev ipsec0  scope link 
119.184.220.0/24 via 127.205.100.254 dev eth1  proto static 
119.184.236.0/24 via 127.205.100.254 dev eth1  proto static 
119.185.16.0/24 via 127.205.100.254 dev eth1  proto static 
119.185.24.0/24 via 127.205.100.254 dev eth1  proto static 
119.185.36.0/24 via 127.205.100.254 dev eth1  proto static 
root@OpenWrt:~# ip ru
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
root@OpenWrt:~# iptables-save
# Generated by iptables-save v1.4.10 on Thu Mar 14 09:07:03 2019
*nat
:PREROUTING ACCEPT [1:40]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [95:6460]
:POSTROUTING ACCEPT [95:6460]
:postrouting_rule - [0:0]
:prerouting_rule - [0:0]
-A PREROUTING -j prerouting_rule 
-A POSTROUTING -j postrouting_rule 
-A POSTROUTING -s 192.168.28.30/32 -o eth1 -j MASQUERADE 
-A POSTROUTING -s 192.168.28.40/32 -o eth1 -j MASQUERADE 
-A POSTROUTING -s 192.168.28.7/32 -o eth1 -j MASQUERADE 
COMMIT
# Completed on Thu Mar 14 09:07:03 2019
# Generated by iptables-save v1.4.10 on Thu Mar 14 09:07:03 2019
*raw
:PREROUTING ACCEPT [409:34346]
:OUTPUT ACCEPT [353:41068]
COMMIT
# Completed on Thu Mar 14 09:07:03 2019
# Generated by iptables-save v1.4.10 on Thu Mar 14 09:07:03 2019
*mangle
:PREROUTING ACCEPT [833954:114032993]
:INPUT ACCEPT [675521:66109940]
:FORWARD ACCEPT [158237:47894124]
:OUTPUT ACCEPT [672475:72937754]
:POSTROUTING ACCEPT [830630:120820472]
COMMIT
# Completed on Thu Mar 14 09:07:03 2019
# Generated by iptables-save v1.4.10 on Thu Mar 14 09:07:03 2019
*filter
:INPUT DROP [1:40]
:FORWARD ACCEPT [14:728]
:OUTPUT ACCEPT [97:7500]
:forwarding_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
-A INPUT -s 127.0.0.1/32 -j ACCEPT 
-A INPUT -s 192.168.28.254/32 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT -s 192.168.28.0/24 -i br-lan -p tcp -m multiport --dports 22,23,80,443,3128 -j ACCEPT 
-A INPUT -s 192.168.28.0/24 -i br-lan -p tcp -m multiport --sports 37 -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -s 192.168.28.0/24 -i ipsec0 -p tcp -m multiport --dports 22,23,80,443,3128 -j ACCEPT 
-A INPUT -s 192.168.28.0/24 -i ipsec0 -p tcp -m multiport --sports 37 -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -s 192.168.28.0/24 -i br-lan -p icmp -m limit --limit 90/sec -j ACCEPT 
-A INPUT -s 192.168.28.0/24 -i br-lan -p icmp -j ACCEPT 
-A INPUT -s 192.168.28.0/24 -i br-lan -p icmp -j ACCEPT 
-A INPUT -i eth1 -p udp -m set --match-set bo_gws src -m udp --sport 500 --dport 500 -j ACCEPT 
-A INPUT -i eth1 -p esp -m set --match-set bo_gws src -j ACCEPT 
-A INPUT -i ipsec0 -p icmp -m set --match-set bo_nets src -m limit --limit 90/sec -j ACCEPT 
-A INPUT -i ipsec0 -p tcp -m set --match-set bo_nets src -m multiport --dports 22,53,80,443,3128,3142 -j ACCEPT 
-A FORWARD -i ipsec0 -p icmp -m set --match-set bo_nets src -m limit --limit 90/sec -j ACCEPT 
-A FORWARD -i br-lan -p icmp -m set --match-set bo_nets dst -m limit --limit 90/sec -j ACCEPT 
-A FORWARD -i ipsec0 -p icmp -m set --match-set bo_gw_nets src -m limit --limit 90/sec -j ACCEPT 
-A FORWARD -i br-lan -p icmp -m set --match-set bo_gw_nets dst -m limit --limit 90/sec -j ACCEPT 
-A FORWARD -d 192.168.28.0/24 -i ipsec0 -p tcp -m set --match-set bo_nets src -j ACCEPT 
-A FORWARD -d 192.168.28.0/24 -i ipsec0 -p udp -m set --match-set bo_nets src -j ACCEPT 
-A FORWARD -s 192.168.28.0/24 -i br-lan -p tcp -m set --match-set bo_nets dst -j ACCEPT 
-A FORWARD -s 192.168.28.0/24 -i br-lan -p udp -m set --match-set bo_nets dst -j ACCEPT 
-A FORWARD -s 192.168.28.0/24 -i ipsec0 -p tcp -m set --match-set bo_nets dst -j ACCEPT 
-A FORWARD -s 192.168.28.0/24 -i ipsec0 -p udp -m set --match-set bo_nets dst -j ACCEPT 
-A FORWARD -s 127.205.100.19/32 -i ipsec0 -p tcp -m set --match-set bo_nets dst -j ACCEPT 
-A FORWARD -s 127.205.100.19/32 -i ipsec0 -p udp -m set --match-set bo_nets dst -j ACCEPT 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
COMMIT
# Completed on Thu Mar 14 09:07:03 2019
root@OpenWrt:~#

vgaetera · March 14, 2019, 2:18am

Honestly, I can hardly imagine how you maintain it, troubleshooting this rule set is not easy.
At first sight your router pings remote LAN-client using its own VPN-address and remote LAN-client either doesn't accept ICMP from it, or doesn't have correct route to send a reply.
Anyway, better check ICMP-traffic with tcpdump.

changchichung · March 14, 2019, 3:41am

yeah , maintain these routers really confuse me.
I can ping to remote using router ip address , but failed with using NIC interface

root@OpenWrt:~# ping 192.168.11.34 -I 192.168.28.254 -c 4
PING 192.168.11.34 (192.168.11.34) from 192.168.28.254: 56 data bytes
64 bytes from 192.168.11.34: seq=0 ttl=61 time=18.092 ms
64 bytes from 192.168.11.34: seq=1 ttl=61 time=17.757 ms
64 bytes from 192.168.11.34: seq=2 ttl=61 time=17.442 ms
64 bytes from 192.168.11.34: seq=3 ttl=61 time=18.654 ms

--- 192.168.11.34 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 17.442/17.986/18.654 ms
root@OpenWrt:~# ping 192.168.11.34 -I eth0 -c 4
PING 192.168.11.34 (192.168.11.34): 56 data bytes

^C
--- 192.168.11.34 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~# ping 192.168.11.34 -I eth1 -c 4
PING 192.168.11.34 (192.168.11.34): 56 data bytes
^C
--- 192.168.11.34 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~# ping 192.168.11.34 -I br-lan -c 4
PING 192.168.11.34 (192.168.11.34): 56 data bytes
^C
--- 192.168.11.34 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~# ping 192.168.11.34 -I ipsec0 -c 4
PING 192.168.11.34 (192.168.11.34): 56 data bytes
^C
--- 192.168.11.34 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~#

and tcpdump when ping 192.168.11.34 -I 192.168.28.254

root@OpenWrt:~# tcpdump -n -t -q  'icmp' -i ipsec0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 192.168.28.254 > 192.168.11.34: ICMP echo request, id 11496, seq 133, length 64
IP 192.168.11.34 > 192.168.28.254: ICMP echo reply, id 11496, seq 133, length 64
IP 192.168.28.254 > 192.168.11.34: ICMP echo request, id 11496, seq 134, length 64
IP 192.168.11.34 > 192.168.28.254: ICMP echo reply, id 11496, seq 134, length 64
IP 192.168.28.254 > 192.168.11.34: ICMP echo request, id 11496, seq 135, length 64
IP 192.168.11.34 > 192.168.28.254: ICMP echo reply, id 11496, seq 135, length 64
IP 192.168.28.254 > 192.168.11.34: ICMP echo request, id 11496, seq 136, length 64
IP 192.168.11.34 > 192.168.28.254: ICMP echo reply, id 11496, seq 136, length 64
IP 192.168.28.254 > 192.168.11.34: ICMP echo request, id 11496, seq 137, length 64
IP 192.168.11.34 > 192.168.28.254: ICMP echo reply, id 11496, seq 137, length 64
IP 192.168.28.254 > 192.168.11.34: ICMP echo request, id 11496, seq 138, length 64
IP 192.168.11.34 > 192.168.28.254: ICMP echo reply, id 11496, seq 138, length 64
IP 192.168.28.254 > 192.168.11.34: ICMP echo request, id 11496, seq 139, length 64
IP 192.168.11.34 > 192.168.28.254: ICMP echo reply, id 11496, seq 139, length 64
IP 192.168.28.254 > 192.168.11.34: ICMP echo request, id 11496, seq 140, length 64
IP 192.168.11.34 > 192.168.28.254: ICMP echo reply, id 11496, seq 140, length 64
IP 192.168.28.254 > 192.168.11.34: ICMP echo request, id 11496, seq 141, length 64
IP 192.168.11.34 > 192.168.28.254: ICMP echo reply, id 11496, seq 141, length 64
IP 192.168.28.254 > 192.168.11.34: ICMP echo request, id 11496, seq 142, length 64
IP 192.168.11.34 > 192.168.28.254: ICMP echo reply, id 11496, seq 142, length 64
IP 192.168.28.254 > 192.168.11.34: ICMP echo request, id 11496, seq 143, length 64
IP 192.168.11.34 > 192.168.28.254: ICMP echo reply, id 11496, seq 143, length 64
IP 192.168.28.254 > 192.168.11.34: ICMP echo request, id 11496, seq 144, length 64
IP 192.168.11.34 > 192.168.28.254: ICMP echo reply, id 11496, seq 144, length 64

and tcpdump log when just rung "ping 192.168.11.34"

root@OpenWrt:~# tcpdump -n -t -q  'icmp' -i ipsec0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 27.105.100.19 > 192.168.11.34: ICMP echo request, id 11510, seq 2, length 64
IP 27.105.100.19 > 192.168.11.34: ICMP echo request, id 11510, seq 3, length 64
IP 27.105.100.19 > 192.168.11.34: ICMP echo request, id 11510, seq 4, length 64
IP 27.105.100.19 > 192.168.11.34: ICMP echo request, id 11510, seq 5, length 64
IP 27.105.100.19 > 192.168.11.34: ICMP echo request, id 11510, seq 6, length 64
^C
5 packets captured
6 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~#

any thoughts ?

vgaetera · March 14, 2019, 6:58am

Something is fishy here because:

127.0.0.0/8 is reserved for loopback interface and shouldn't be used anywhere else.
tcpdump shows source IP-address which doesn't belong to any of the interfaces.

changchichung · March 15, 2019, 5:37am

source IP is the same in tcpdump and firewall rules , it`s a typo in my post , sorry.

luochongjun · March 16, 2019, 2:02am

I suggest you modify the firewall based on openwrt, or you will have endless problems

changchichung · March 18, 2019, 12:33am

I wish I could . but there are dozens of routers online , and I have no more lease line to simulate another branch office to join the VPN. and most of the customize firewall rules works fine. only that can not ping from router to vpn client. so I want to solve this problem first. then I will try to run my own customized openwrt as vpn router .