Hi guys, I'm sorry asking such a stupid question, but I can't find an answer. I have OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530) on a TP-Link TL-WR1043N/ND v2 router and some hosts in my local network 172.16.66.0/24. One of the hosts (namely with ip address 172.16.66.64) I can not ping from a router, while other hosts in the same local network can ping it normally. This host, as many others acquires its IP via dhcp. I can ping all other hosts in my local network, only this one has some magic. At the same time I can arping this host from the router. With tcpdump I can see that its ping replies come to the router, but then router forwards them to a wrong interface for unknown reason.
it looks like this:
root@roof-router:~# arping -I br-lan 172.16.66.64
ARPING to 172.16.66.64 from 172.16.66.1 via br-lan
Unicast reply from 172.16.66.64 [0:25:90:2a:5d:c8] 0.341ms
Unicast reply from 172.16.66.64 [0:25:90:2a:5d:c8] 0.241ms
Unicast reply from 172.16.66.64 [0:25:90:2a:5d:c8] 0.250ms
Unicast reply from 172.16.66.64 [0:25:90:2a:5d:c8] 0.248ms
Unicast reply from 172.16.66.64 [0:25:90:2a:5d:c8] 0.254ms
Unicast reply from 172.16.66.64 [0:25:90:2a:5d:c8] 0.247ms
^CSent 6 probe(s) (1 broadcast(s))
Received 6 reply (0 request(s), 0 broadcast(s))
root@roof-router:~# ping 172.16.66.64
PING 172.16.66.64 (172.16.66.64): 56 data bytes
^C
--- 172.16.66.64 ping statistics ---
122 packets transmitted, 0 packets received, 100% packet loss
From the other terminal at the same time:
root@roof-router:~# tcpdump -i br-lan -vv host 172.16.66.64 -n
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 65535 bytes
14:17:25.914918 IP (tos 0x0, ttl 64, id 17290, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.66.1 > 172.16.66.64: ICMP echo request, id 21518, seq 14, length 64
14:17:25.915187 IP (tos 0x0, ttl 64, id 64947, offset 0, flags [none], proto ICMP (1), length 84)
172.16.66.64 > 172.16.66.1: ICMP echo reply, id 21518, seq 14, length 64
14:17:26.915121 IP (tos 0x0, ttl 64, id 17291, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.66.1 > 172.16.66.64: ICMP echo request, id 21518, seq 15, length 64
14:17:26.915387 IP (tos 0x0, ttl 64, id 64948, offset 0, flags [none], proto ICMP (1), length 84)
172.16.66.64 > 172.16.66.1: ICMP echo reply, id 21518, seq 15, length 64
14:17:27.915347 IP (tos 0x0, ttl 64, id 17292, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.66.1 > 172.16.66.64: ICMP echo request, id 21518, seq 16, length 64
14:17:27.915616 IP (tos 0x0, ttl 64, id 64949, offset 0, flags [none], proto ICMP (1), length 84)
172.16.66.64 > 172.16.66.1: ICMP echo reply, id 21518, seq 16, length 64
14:17:28.915636 IP (tos 0x0, ttl 64, id 17293, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.66.1 > 172.16.66.64: ICMP echo request, id 21518, seq 17, length 64
14:17:28.915919 IP (tos 0x0, ttl 64, id 64950, offset 0, flags [none], proto ICMP (1), length 84)
172.16.66.64 > 172.16.66.1: ICMP echo reply, id 21518, seq 17, length 64
14:17:29.915833 IP (tos 0x0, ttl 64, id 17294, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.66.1 > 172.16.66.64: ICMP echo request, id 21518, seq 18, length 64
14:17:29.916090 IP (tos 0x0, ttl 64, id 64951, offset 0, flags [none], proto ICMP (1), length 84)
172.16.66.64 > 172.16.66.1: ICMP echo reply, id 21518, seq 18, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
root@roof-router:~# tcpdump -i eth0 -vv host 172.16.66.64 -n
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:17:42.918281 IP (tos 0x0, ttl 64, id 17307, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.66.1 > 172.16.66.64: ICMP echo request, id 21518, seq 31, length 64
14:17:42.918535 IP (tos 0x0, ttl 64, id 64964, offset 0, flags [none], proto ICMP (1), length 84)
172.16.66.64 > 172.16.66.1: ICMP echo reply, id 21518, seq 31, length 64
14:17:43.918477 IP (tos 0x0, ttl 64, id 17308, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.66.1 > 172.16.66.64: ICMP echo request, id 21518, seq 32, length 64
14:17:43.918727 IP (tos 0x0, ttl 64, id 64965, offset 0, flags [none], proto ICMP (1), length 84)
172.16.66.64 > 172.16.66.1: ICMP echo reply, id 21518, seq 32, length 64
14:17:44.918671 IP (tos 0x0, ttl 64, id 17309, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.66.1 > 172.16.66.64: ICMP echo request, id 21518, seq 33, length 64
14:17:44.918910 IP (tos 0x0, ttl 64, id 64966, offset 0, flags [none], proto ICMP (1), length 84)
172.16.66.64 > 172.16.66.1: ICMP echo reply, id 21518, seq 33, length 64
^C
6 packets captured
8 packets received by filter
0 packets dropped by kernel
Some configuration data:
root@roof-router:~# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 10.0.168.1/32 brd 255.255.255.255 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
link/ether e8:94:f6:29:07:a5 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether e8:94:f6:29:07:a4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ea94:f6ff:fe29:7a4/64 scope link
valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether e8:94:f6:29:07:a4 brd ff:ff:ff:ff:ff:ff
82: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether e8:94:f6:29:07:a5 brd ff:ff:ff:ff:ff:ff
inet 172.16.66.1/24 brd 172.16.66.255 scope global br-lan
valid_lft forever preferred_lft forever
inet 172.16.11.1/30 brd 172.16.11.3 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fe80::ea94:f6ff:fe29:7a5/64 scope link
valid_lft forever preferred_lft forever
83: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether e8:94:f6:29:07:a4 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.90/24 brd 192.168.1.255 scope global eth1.2
valid_lft forever preferred_lft forever
inet6 fe80::ea94:f6ff:fe29:7a4/64 scope link
valid_lft forever preferred_lft forever
84: eth1.3@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether e8:94:f6:29:07:a4 brd ff:ff:ff:ff:ff:ff
inet 192.168.31.15/24 brd 192.168.31.255 scope global eth1.3
valid_lft forever preferred_lft forever
inet6 fe80::ea94:f6ff:fe29:7a4/64 scope link
valid_lft forever preferred_lft forever
85: eth1.4@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether e8:94:f6:29:07:a4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ea94:f6ff:fe29:7a4/64 scope link
valid_lft forever preferred_lft forever
88: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/ether 4e:d4:c4:09:24:b4 brd ff:ff:ff:ff:ff:ff
inet 10.57.0.2/24 brd 10.57.0.255 scope global tap0
valid_lft forever preferred_lft forever
inet6 fe80::4cd4:c4ff:fe09:24b4/64 scope link
valid_lft forever preferred_lft forever
91: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.55.0.6/24 brd 10.55.0.255 scope global tun0
valid_lft forever preferred_lft forever
routing table:
root@roof-router:~# ip route show table all
default via 192.168.31.1 dev eth1.3 proto static metric 65
10.30.0.0/24 via 10.55.0.1 dev tun0
10.45.0.0/24 via 10.55.0.1 dev tun0
10.55.0.0/24 dev tun0 proto kernel scope link src 10.55.0.6
10.57.0.0/24 dev tap0 proto kernel scope link src 10.57.0.2
172.16.11.0/30 dev br-lan proto kernel scope link src 172.16.11.1
172.16.44.0/24 via 10.55.0.1 dev tun0
172.16.55.0/24 via 10.55.0.1 dev tun0
172.16.56.0/24 via 10.55.0.1 dev tun0
172.16.66.0/24 dev br-lan proto kernel scope link src 172.16.66.1
192.168.1.0/24 dev eth1.2 proto static scope link metric 80
192.168.11.0/24 via 10.55.0.1 dev tun0
192.168.31.0/24 dev eth1.3 proto static scope link metric 65
192.168.51.0/24 via 10.55.0.1 dev tun0
local 10.0.168.1 dev lo table local proto kernel scope host src 10.0.168.1
broadcast 10.55.0.0 dev tun0 table local proto kernel scope link src 10.55.0.6
local 10.55.0.6 dev tun0 table local proto kernel scope host src 10.55.0.6
broadcast 10.55.0.255 dev tun0 table local proto kernel scope link src 10.55.0.6
broadcast 10.57.0.0 dev tap0 table local proto kernel scope link src 10.57.0.2
local 10.57.0.2 dev tap0 table local proto kernel scope host src 10.57.0.2
broadcast 10.57.0.255 dev tap0 table local proto kernel scope link src 10.57.0.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.16.11.0 dev br-lan table local proto kernel scope link src 172.16.11.1
local 172.16.11.1 dev br-lan table local proto kernel scope host src 172.16.11.1
broadcast 172.16.11.3 dev br-lan table local proto kernel scope link src 172.16.11.1
broadcast 172.16.66.0 dev br-lan table local proto kernel scope link src 172.16.66.1
local 172.16.66.1 dev br-lan table local proto kernel scope host src 172.16.66.1
broadcast 172.16.66.255 dev br-lan table local proto kernel scope link src 172.16.66.1
broadcast 192.168.1.0 dev eth1.2 table local proto kernel scope link src 192.168.1.90
local 192.168.1.90 dev eth1.2 table local proto kernel scope host src 192.168.1.90
broadcast 192.168.1.255 dev eth1.2 table local proto kernel scope link src 192.168.1.90
broadcast 192.168.31.0 dev eth1.3 table local proto kernel scope link src 192.168.31.15
local 192.168.31.15 dev eth1.3 table local proto kernel scope host src 192.168.31.15
broadcast 192.168.31.255 dev eth1.3 table local proto kernel scope link src 192.168.31.15
unreachable fd44:c7e9:d8f5::/48 dev lo proto static metric 2147483647 error -128
fe80::/64 dev eth1 proto kernel metric 256
fe80::/64 dev eth1.2 proto kernel metric 256
fe80::/64 dev eth1.3 proto kernel metric 256
fe80::/64 dev eth1.4 proto kernel metric 256
fe80::/64 dev br-lan proto kernel metric 256
fe80::/64 dev tap0 proto kernel metric 256
unreachable default dev lo table unspec proto kernel metric 4294967295 error -128
local ::1 dev lo table local proto none metric 0
local fe80:: dev lo table local proto none metric 0
local fe80:: dev lo table local proto none metric 0
local fe80:: dev lo table local proto none metric 0
local fe80:: dev lo table local proto none metric 0
local fe80:: dev lo table local proto none metric 0
local fe80:: dev lo table local proto none metric 0
local fe80::4cd4:c4ff:fe09:24b4 dev lo table local proto none metric 0
local fe80::ea94:f6ff:fe29:7a4 dev lo table local proto none metric 0
local fe80::ea94:f6ff:fe29:7a4 dev lo table local proto none metric 0
local fe80::ea94:f6ff:fe29:7a4 dev lo table local proto none metric 0
local fe80::ea94:f6ff:fe29:7a4 dev lo table local proto none metric 0
local fe80::ea94:f6ff:fe29:7a5 dev lo table local proto none metric 0
ff00::/8 dev eth1 table local metric 256
ff00::/8 dev eth1.2 table local metric 256
ff00::/8 dev eth1.3 table local metric 256
ff00::/8 dev eth1.4 table local metric 256
ff00::/8 dev br-lan table local metric 256
ff00::/8 dev tap0 table local metric 256
unreachable default dev lo table unspec proto kernel metric 4294967295 error -128
iptables:
root@roof-router:~# cat /etc/config/firewall
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option _name 'http outside'
option dest_port '80'
config rule
option target 'ACCEPT'
option _name 'ssh outside'
option src 'wan'
option proto 'tcp'
option dest_port '22'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'wan'
option name 'Allow-Ping-Reply'
option family 'ipv4'
option proto 'icmp'
option dest '*'
config rule
option proto 'udp'
option dest_port '32100'
option name 'iLnkP2P'
option src 'lan'
option dest 'wan'
option target 'DROP'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '6689'
option name 'noxbit'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '6881-6900'
option name 'noxbit_peers'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '8621'
option name 'acestream'
config rule
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
option name 'meizu-app-store'
option src_mac 'A4:44:D1:E8:65:89'
option dest_ip '172.217.169.174/32'
option enabled '0'
config rule
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
option name 'meizu-account'
option src_mac 'A4:44:D1:E8:65:89'
option dest_ip '14.152.75.183/16'
option enabled '0'
config rule
option src 'lan'
option dest 'wan'
option name 'Meizu'
option src_mac 'A4:44:D1:E8:65:89'
option target 'REJECT'
option enabled '0'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option syn_flood '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'SKY XIROST GTWR lan openwrt freeswitch'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'NNZZ wan wan1 wan2 wan3'
option input 'REJECT'
option forward 'REJECT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'lan'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option dest_ip '172.16.66.192'
option name 'iPerf 5002'
option dest_port '5002'
option src_dport '5002'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '6689'
option dest_ip '172.16.66.228'
option dest_port '6689'
option name 'noxbit'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '6881-6900'
option dest_ip '172.16.66.228'
option dest_port '6881-6900'
option name 'noxbit_peers'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '8621'
option dest_ip '172.16.66.228'
option dest_port '8621'
option name 'acestream'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '1222'
option dest_ip '172.16.66.9'
option dest_port '22'
option name 'freenas_ssh'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '1443'
option dest_ip '172.16.66.9'
option dest_port '443'
option name 'freenas_api'
The obvious question is how to make this host pingable from router?
Thank you, Dmitry