Great, check tcpdump again.
1 Like
Now it's all good! Thank you guys very much for your help!
I gotta dig deeper in the firewall conf.
$ ping -c4 10.124.128.51
PING 10.124.128.51 (10.124.128.51) 56(84) bytes of data.
64 bytes from 10.124.128.51: icmp_seq=1 ttl=126 time=25.4 ms
64 bytes from 10.124.128.51: icmp_seq=2 ttl=126 time=15.1 ms
64 bytes from 10.124.128.51: icmp_seq=3 ttl=126 time=11.8 ms
64 bytes from 10.124.128.51: icmp_seq=4 ttl=126 time=20.3 ms
--- 10.124.128.51 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 11.801/18.162/25.400/5.163 ms
# tcpdump -evni any icmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:07:19.652629 In xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 2845, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.0.151 > 10.124.128.51: ICMP echo request, id 26934, seq 1, length 64
20:07:19.652831 Out ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 2845, offset 0, flags [DF], proto ICMP (1), length 84)
10.124.126.75 > 10.124.128.51: ICMP echo request, id 26934, seq 1, length 64
20:07:19.678400 In ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 127, id 29552, offset 0, flags [none], proto ICMP (1), length 84)
10.124.128.51 > 10.124.126.75: ICMP echo reply, id 26934, seq 1, length 64
20:07:19.678574 Out xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 126, id 29552, offset 0, flags [none], proto ICMP (1), length 84)
10.124.128.51 > 192.168.0.151: ICMP echo reply, id 26934, seq 1, length 64
20:07:20.653660 In xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 2933, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.0.151 > 10.124.128.51: ICMP echo request, id 26934, seq 2, length 64
20:07:20.653796 Out ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 2933, offset 0, flags [DF], proto ICMP (1), length 84)
10.124.126.75 > 10.124.128.51: ICMP echo request, id 26934, seq 2, length 64
20:07:20.672766 In ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 127, id 29553, offset 0, flags [none], proto ICMP (1), length 84)
10.124.128.51 > 10.124.126.75: ICMP echo reply, id 26934, seq 2, length 64
20:07:20.672891 Out xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 126, id 29553, offset 0, flags [none], proto ICMP (1), length 84)
10.124.128.51 > 192.168.0.151: ICMP echo reply, id 26934, seq 2, length 64
20:07:21.654042 In xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 3052, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.0.151 > 10.124.128.51: ICMP echo request, id 26934, seq 3, length 64
20:07:21.654147 Out ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 3052, offset 0, flags [DF], proto ICMP (1), length 84)
10.124.126.75 > 10.124.128.51: ICMP echo request, id 26934, seq 3, length 64
20:07:21.663392 Out xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 127, id 29554, offset 0, flags [none], proto ICMP (1), length 84, bad cksum b4c0 (->7c48)!)
10.124.128.51 > 192.168.0.151: ICMP echo reply, id 26934, seq 1, length 64
20:07:21.663511 Out xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 126, id 29554, offset 0, flags [none], proto ICMP (1), length 84)
10.124.128.51 > 192.168.0.151: ICMP echo reply, id 26934, seq 3, length 64
20:07:22.658910 In xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 3208, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.0.151 > 10.124.128.51: ICMP echo request, id 26934, seq 4, length 64
20:07:22.659029 Out ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 3208, offset 0, flags [DF], proto ICMP (1), length 84)
10.124.126.75 > 10.124.128.51: ICMP echo request, id 26934, seq 4, length 64
20:07:22.670291 In ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 127, id 29555, offset 0, flags [none], proto ICMP (1), length 84)
10.124.128.51 > 10.124.126.75: ICMP echo reply, id 26934, seq 4, length 64
20:07:22.670405 Out xx:xx:xx:xx:xx:xx ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 126, id 29555, offset 0, flags [none], proto ICMP (1), length 84)
10.124.128.51 > 192.168.0.151: ICMP echo reply, id 26934, seq 4, length 64
^C
16 packets captured
17 packets received by filter
0 packets dropped by kernel
# iptables-save -c -t nat | grep MASQ
[63:3812] -A zone_DCVPN_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[65:5575] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
So the warning is totally fine, as long as the device can be found, right?
2 Likes
The warning is safe to ignore, although you can remove it:
uci -q delete firewall.@zone[3].network
uci commit firewall
/etc/init.d/firewall restart
2 Likes
Great, now it's all in order!
# uci -q delete firewall.@zone[3].network
# uci commit firewall
# /etc/init.d/firewall restart
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Zone 'DCVPN'
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'Allow-OpenVPN-Inbound'
* Rule 'Allow-OpenVPN-Inbound'
* Rule 'Allow-Wireguard-Inbound'
* Forward 'vpn' -> 'lan'
* Forward 'DCVPN' -> 'lan'
* Forward 'lan' -> 'DCVPN'
* Forward 'wan' -> 'DCVPN'
* Forward 'wan' -> 'lan'
* Forward 'wan' -> 'vpn'
* Forward 'DCVPN' -> 'wan'
* Forward 'lan' -> 'wan'
* Forward 'vpn' -> 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Zone 'DCVPN'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Zone 'DCVPN'
* Populating IPv6 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Zone 'DCVPN'
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'Allow-OpenVPN-Inbound'
* Rule 'Allow-OpenVPN-Inbound'
* Rule 'Allow-Wireguard-Inbound'
* Forward 'vpn' -> 'lan'
* Forward 'DCVPN' -> 'lan'
* Forward 'lan' -> 'DCVPN'
* Forward 'wan' -> 'DCVPN'
* Forward 'wan' -> 'lan'
* Forward 'wan' -> 'vpn'
* Forward 'DCVPN' -> 'wan'
* Forward 'lan' -> 'wan'
* Forward 'vpn' -> 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'vpn'
* Zone 'DCVPN'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
Thank you very much for your help and advises again!
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.