[Solved] Icmp port unreachable

After reading some similar pages I have to ask.
ping google.com on the router (gl inet) works (ssh'ed), while on my laptop it returns Destination port unreachable.

Here's my /etc/config/firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'shadowsocks'
	option type 'script'
	option path '/var/etc/shadowsocks.include'
	option reload '1'

config rule 'glservice_rule'
	option name 'glservice'
	option dest_port '83'
	option proto 'tcp udp'
	option src 'wan'
	option target 'ACCEPT'
	option enabled '0'

and /etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '0000:0000:0000::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'gl'
	option ipaddr '192.168.8.1'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'
	option hostname 'gl'
	option metric '10'
	option peerdns '0'
	option custom_dns '1'
	option dns '8.8.8.8 8.8.4.4'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config interface 'wwan'
	option proto 'dhcp'
	option metric '20'
	option peerdns '0'
	option dns '8.8.8.8 8.8.4.4'

finally /etc/firewall.user:

iptables -I INPUT -p tcp --dport 22 -s 192.168.8.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 ! -s 192.168.8.0/24 -j DROP
ip6tables -I FORWARD -j DROP
ip6tables -I OUTPUT -j DROP

Any help appreciated. Thank you.

My first guess is that you are running a modern OS that got an IPv6 address from the query.

This should be a random prefix that is in the valid ULA space (fd00::/7)

https://simpledns.com/private-ipv6 will generate one for you.

My laptop has disabled ipv6 and ifconfig shows an ipv4 address.
It's actually a random one; I have deleted it, sorry for the confusion.
Thank you for your reply, still looking for help.

Are you connected upstream via:

  • WAN; or
  • WWAN

You are not permitting forwarding from LAN to WWAN.

How can I check? Sorry for the stupid question.

You are not permitting forwarding from LAN to WWAN.

Possibly, as I've read in https://superuser.com/questions/587067/destination-port-unreachable-when-pinging-computer-in-another-subnet

Disregard. I see that WWAN is added to the WAN firewall zone.

OS on the laptop?
Is there any firewall?
Have you tried as simple user or with admin/sudo rights?
Can you ping the router? Is everything else working properly?
Finally was the message just Destination Host Unreachable or Reply From <IP address>: Destination Host Unreachable

I have seen this behavior in the past, but I cannot recall what was the issue.

  • Ubuntu 18.04
  • Yes. I have allowed output to everything
  • On my laptop? Normal user, but ping should work regardless (suid?)
  • Yes, I'm connected to it through ssh. The router can ping google.com
  • ping google.com: Reply from console.gl-inet.com: destination port unreachable and ping 8.8.8.8: From 192.168.8.1 destination net unreachable

I meant if the laptop can ping the router, in other words ping 192.168.8.1. Also if you can browse the Internet, listen to music etc from your laptop without issues.
Post also here the iptables -L -nv ; iptables -t nat -L -vn

Yes I can ping it.
Output of the first command:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *      !192.168.8.0/24       0.0.0.0/0            tcp dpt:22
  369 30308 ACCEPT     tcp  --  *      *       192.168.8.0/24       0.0.0.0/0            tcp dpt:22
  670 42733 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
46673 6167K input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for input */
44250 5986K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
  547 32820 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
 2371  177K zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   52  4218 zone_wwan_input  all  --  wlan-sta *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1687  101K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
 1687  101K zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wwan_forward  all  --  wlan-sta *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 1687  101K reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  670 42733 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
48361 6299K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for output */
45222 6035K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
   22  5280 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 3117  259K zone_wwan_output  all  --  *      wlan-sta  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wwan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wwan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wwan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 1679  101K REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
   60  4826 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  547 32820 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   22  5280 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1687  101K forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
 1687  101K zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2371  177K input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
 2371  177K zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   22  5280 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for output */
   22  5280 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2371  177K ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wwan_dest_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      wlan-sta  0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
 3117  259K ACCEPT     all  --  *      wlan-sta  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wwan_dest_DROP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      wlan-sta  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wwan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MINIUPNPD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forwarding_wwan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wwan_dest_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wwan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   52  4218 input_wwan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
   52  4218 zone_wwan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wwan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3117  259K output_wwan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for output */
 3117  259K zone_wwan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wwan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   52  4218 reject     all  --  wlan-sta *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

of the second:

Chain PREROUTING (policy ACCEPT 4822 packets, 390K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4822  390K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for prerouting */
 4508  336K zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  314 54585 zone_wwan_prerouting  all  --  wlan-sta *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain INPUT (policy ACCEPT 2398 packets, 176K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3239 packets, 268K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1807 packets, 76959 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4918  335K postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */
 1690 69822 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 3111  258K zone_wwan_postrouting  all  --  *      wlan-sta  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain MINIUPNPD-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wwan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wwan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1690 69822 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 4508  336K prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for prerouting */

Chain zone_wwan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3111  258K MINIUPNPD-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 3111  258K postrouting_wwan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for postrouting */
 3111  258K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wwan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  314 54585 MINIUPNPD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  314 54585 prerouting_wwan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for prerouting */

Your firewall is a mess.
I can see a zone wwan although you don't have any wwan zone, just the wan. But this should not be your problem. I am just comparing with the firewall config in the original post.
In chain zone_lan_forward you don't have the zone_wan_dest_ACCEPT target, there is only for lan. This is weird since you have the lan->wan forwarding rule.
So, it looks like you have done some modifications in the firewall config or in the iptables, or you have not restarted the firewall service.

It was the default for my gl inet. I have flashed the openwrt firmware and it works great.

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.