No ICMP reply on WAN

Hello,

I am using OpenWrt 22.03.0 on an x86/64 device.
I am connected to Internet on eth0 bridged in br-wan and I get a static IP (always the same) through DHCP from my ISP.
I then use a GRE tunnel for almost all the traffic from router and LAN to Internet, giving me another public IP.

All works very fine, and I can ping any (pingable) IP from LAN and router via the tunnel. And also from br-wan/eth0 on the router (in that case pinging from the ISP's route).

I can also ping my public IP address I get through the tunnel (GRE) from the outside, but I cannot ping the public IP address I get though the ISP (WAN). I do see the ICMP Requests hitting the router with tcpdump, but it does not answer to them.

root@outside-pinging-device:~# ping ISP-PUB-IP
PING ISP-PUB-IP (ISP-PUB-IP) 56(84) bytes of data.
^C
--- ISP-PUB-IP ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5116ms
root@router:/# tcpdump -i br-wan -qnn icmp and net ISP-PUB-IP/32
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-wan, link-type EN10MB (Ethernet), capture size 262144 bytes
12:14:35.470971 IP OUTSIDE-PINGING-DEV > ISP-PUB-IP: ICMP echo request, id 3, seq 1, length 64
12:14:36.491647 IP OUTSIDE-PINGING-DEV > ISP-PUB-IP: ICMP echo request, id 3, seq 2, length 64
12:14:37.514681 IP OUTSIDE-PINGING-DEV > ISP-PUB-IP: ICMP echo request, id 3, seq 3, length 64
12:14:38.539437 IP OUTSIDE-PINGING-DEV > ISP-PUB-IP: ICMP echo request, id 3, seq 4, length 64
12:14:40.587483 IP OUTSIDE-PINGING-DEV > ISP-PUB-IP: ICMP echo request, id 3, seq 6, length 64
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel

I do have the firewall rule to allow ICMP:

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
config interface 'wan'
	option proto 'dhcp'
	option device 'br-wan'

config device
	option type 'bridge'
	option name 'br-wan'
	list ports 'eth0'
	option macaddr 'MAC-FOR-ISP-DHCP'

Not that I need to be able to ping my ISP's public IP from outside, but I would like to understand why I cannot. Before I set the tunnel up, it worked.

Note: I can ping the IP from the LAN, so it seems really to be a firewall issue as the ICMP Requests hit the router (cf. tcpdump)…

A wild guess. The traffic from internet to your public comes in freetext and the reply goes into gre tunnel.

1 Like

@mattimat, seems you are on to something:

root@router:~# tcpdump -i gre4-tunnel -qnn  icmp and net OUTSIDE-PINGING-DEV/32
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gre4-mw_tunnel, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
13:12:53.867407 IP ISP-PUB-IP > OUTSIDE-PINGING-DEV: ICMP echo reply, id 6, seq 2, length 64
13:12:54.891461 IP ISP-PUB-IP > OUTSIDE-PINGING-DEV: ICMP echo reply, id 6, seq 3, length 64

But the source IP is the ISP-PUB-IP, so why is it going through the tunnel?

Is this normal? Is there something wrong in my setup?
How can I fix that?

Thank you.

Impossible to tell without knowing your gre tunnel definitions.

Here you go :grinning:

config interface 'gre_tunnel'
	option proto 'gre'
	option peeraddr 'XX.XX.XX.XX'
	option mtu '1476'
	option ttl '12'
	option metric '0'

config interface 'gre_interco'
	option proto 'static'
	option ipaddr '10.XX.XX.XX'
	option netmask '255.255.255.252'
	list ip6addr 'XXXX:XXXX:XXXX::XXXX/126'
	option mtu '1476'
	option device '@gre_tunnel'

config interface 'gretun'
	option proto 'static'
	option ipaddr 'TUNNEL_PUBLIC_IP'
	option netmask '255.255.255.255'
	option ip6prefix 'PUBLIC_IPV6_PD/48'
	option mtu '1476'
	option device '@gre_tunnel'
	list ip6addr 'PUBLIC_IPV6/48'
	list ip6class 'gretun'
	option defaultroute '0'
	list dns '1.1.1.1'
config route
	option interface 'gretun'
	option target '0.0.0.0/0'
	option gateway '0.0.0.0'
	option mtu '1476'
	option source 'TUNNEL_PUBLIC_IP'

Thank you for your help!

your default route is via gre tunnel, is not it ... so that might answer why everything is going that way. my guess.

1 Like

Yes, the default route is the tunnel. There is also a route via ISP WAN but in default table, not main table (in case the tunnel is down). I can do ping with option -S or -I from the router to ping using WAN (not tunnel).

Bottom line, is there a way / setting to have the OpenWrt router send the ICMP Reply using the same route the ICMP Request came from? I am surprised it is not natively working this way.

1 Like

policy based routing i think that's you need.

2 Likes

I want to thank all of you here @mattimat for identifying the underlying cause and @grrr2 for pointing in the right direction for a solution.

The solution was simple: add a rule to use the default routing table (where I route 0.0.0.0 through ISP's, the tunnel being used for 0.0.0.0 in the main routing table) when the source address is the ISP's public IP.
AKA -> policy based routing

Here is my rules, #1 being the new one I added to solve the problem.

root@router:~# ip rule
0:	from all lookup local
1:	from ISP-PUBLIC-IP lookup default
32766:	from all lookup main
32767:	from all lookup default
2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.