Static route ping but no other connection

dfandrew · March 1, 2020, 6:39pm

Hello,
my local network is 192.168.55.0/24.

I have a gateway with address 192.168.55.4 that work well. This gateway is connected to 192.168.57.0/24 network via openvpn.

I have this static route configuration on my router (192.168.55.1):

config route 'static_route_8DA1D3A07BFB42763E16228F6A12450C'
        option netmask '255.255.255.0'
        option gateway '192.168.55.4' 
        option interface 'lan'
        option metric '0'   
        option target '192.168.57.0'

If I ping from the device connected to lan o wlan, i reach the host in 192.168.57.0/24 network. But I can't connet with wget or ssh to the hosts.

If I change the gateway on my laptop and I set 192.168.55.4, I can ping and connect to all hosts in 192.168.57.0/24.

Are there some errors in my static route configuration?

Thank you.

trendy · March 1, 2020, 9:05pm

The static route config is fine and the fact that you can see the ping replies proves it.
Can you post the output of:

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \

dfandrew · March 1, 2020, 11:03pm

HI,
the output is very long.

You can see it on this link: https://drive.google.com/file/d/1FI7QQ15MzgCFgqfRw5W1uzdTm9Oq6Mcq/view?usp=sharing
Thank you.

trendy · March 1, 2020, 11:19pm

Delete the sensitive data from the output (usernames, passwords) and if the public IPs are not dynamic you may want to cover them.

dfandrew · March 1, 2020, 11:51pm

I have removed all sensitive data.

thank you.

trendy · March 2, 2020, 11:48am

I wasn't able find any mistake. So your best bet is to identify where the packet is dropped.
Run a tcpdump and check that the packets come in and out.
tcpdump -i br-lan -vn tcp port 22 and host 192.168.55.X change X with the last octet of the address of the host originating the traffic.
If you see the packet twice then it means that it is dropped somewhere else.
If you see it only once it means it is dropped on the Edgerouter and you'll need to investigate further

Firewall logs, apply some logging in the forwarding_rule , zone_lan_forward and zone_lan_dest_ACCEPT to verify that it can reach these steps
Disable temporarily mwan, timeofday, and everything else that could alter routing or block the traffic and test.
Out of curiosity what is the purpose of public_lan with address 0.0.0.0/0?

lleachii · March 2, 2020, 4:30pm

Did you install a route on your laptop to reach 192.168.57.0/24 via 192.168.55.4?
I assume that's not the OpenWrt, so how would your laptop know to use 192.168.55.4 as any kind of gateway without a route?

dfandrew · March 2, 2020, 4:53pm

Yes, with route add command.

I suppose that is the OpenWrt router that routes the traffic to 192.168.57.x to 192.168.55.4.

lleachii · March 2, 2020, 4:55pm

Your two responses conflict with each other:

I asked you:

You said:

But then replied:

Please be clear. Did you add a route on the laptop?

dfandrew · March 2, 2020, 5:25pm

I tried to add manually the route on my laptop and it works.
But I don't want add the route on all my devices. I just done it only to test.

I would like my router to route connections to 192.168.57.x automatically.

lleachii · March 2, 2020, 5:35pm

Thank you for clarity, this should work, as it's how it should be setup.

OK, I already understand this. For the fastest solution, I would advise that you:

Move the VPN to the OpenWrt; or
Simply place the VPN device in another subnet/network

This ensures that all devices in the network use the router as their gateway, and that you don't introduce asymmetric routing.

dfandrew · March 3, 2020, 10:19am

Ok,
but I don't understand why in my configuration (without add manually route on my lapton) the ping goes, but the ssh connection doesn't work.
Instead on my old unix pc also the ssh connection goes.

Thank you.

trendy · March 3, 2020, 10:25am

The old unix pc uses the Edgerouter as gateway and everything works fine?

dfandrew · March 3, 2020, 1:50pm

I don't know this. But also my old Android 9 phone can connect to correctly, instead Android 10 no.

trendy · March 3, 2020, 1:54pm

Which gateway are the Androids using? 55.1 or 55.4?

dfandrew · March 29, 2020, 3:09pm

the Androids are using both 55.1

dfandrew · March 29, 2020, 3:46pm

I tried to do a tcpdump.

On router I have:

7:19:10.891838 IP (tos 0x0, ttl 64, id 20440, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.55.41.36856 > 192.168.57.4.2812: Flags [S], cksum 0x2f4e (correct), seq 4100681121, win 65535, options [mss 1460,sackOK,TS val 14231896 ecr 0,nop,wscale 8], length 0

and I don't see anything on 55.4 gateway.

If on my laptop i use:

route ADD 192.168.57.0 MASK 255.255.255.0 192.168.55.4

On router I don't see anything,
and on 55.4 gateway I see:

17:43:53.982072 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.55.4.2812 > 192.168.55.41.62632: Flags [.], cksum 0xfb1b (correct), ack 613, win 238, length 0

Is it possible that the problem is the length of the package?

Thank you.

trendy · March 29, 2020, 5:07pm

I cannot tell from these two lines, moreover I don't know what you were capturing.
On both routers you should run something like tcpdump -i any -vn host 192.168.55.41 or host 192.168.57.4
Then for each direction you should see 2 captures, one for the ingress and one for the egress interface.

dfandrew · March 29, 2020, 9:04pm

This is the output of tcpdump: tcpdump -i any -vn tcp port 2812 and host 192.168.55.41 or host 192.168.57.4

22:55:52.786432 IP (tos 0x0, ttl 128, id 8808, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.55.31.63722 > 192.168.57.4.2812: Flags [S], cksum 0x6029 (correct), seq 2602926965, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:55:52.786432 IP (tos 0x0, ttl 128, id 8808, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.55.31.63722 > 192.168.57.4.2812: Flags [S], cksum 0x6029 (correct), seq 2602926965, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:55:52.800346 IP (tos 0x0, ttl 127, id 8808, offset 0, flags [DF], proto TCP (6), length 52)
    XXX.XXX.XXX.XXX.63722 > 192.168.57.4.2812: Flags [S], cksum 0x95d0 (correct), seq 2602926965, win 64240, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
22:55:52.808908 IP (tos 0x0, ttl 128, id 8809, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.55.31.63723 > 192.168.57.4.2812: Flags [S], cksum 0x9375 (correct), seq 2311938432, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:55:52.808908 IP (tos 0x0, ttl 128, id 8809, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.55.31.63723 > 192.168.57.4.2812: Flags [S], cksum 0x9375 (correct), seq 2311938432, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:55:52.821838 IP (tos 0x0, ttl 127, id 8809, offset 0, flags [DF], proto TCP (6), length 52)
    XXX.XXX.XXX.XXX.63723 > 192.168.57.4.2812: Flags [S], cksum 0xc91c (correct), seq 2311938432, win 64240, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0

where XXX.XXX.XXX.XXX is my public ip.

It seems the packet go out of my network.

Thank you.

trendy · March 29, 2020, 10:18pm

Nope, this is very wrong.
The first two lines are the same packet coming from host 55.31 and immediately being resent from 55.1 to the vpn gateway 55.4.
And the third line is your a packet coming back from 55.4 with public source IP trying to send to the private IP on the other side? This will never work. Check for SNATs on the 55.4 vpn gw.