Topic: VPN forward to LAN Subnet?

The content of this topic has been archived on 28 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

jsl17

15 Dec 2016, 01:03

VPN: OpenVPN
Router: GL-M300A Openwrt Luci

How can I get to the subnet on my LAN port from my VPN without port forwarding.
From 172.28.240.10
TO: 172.29.240.154

Network setup:
ovpn: 172.28.240.0/20
ovpn AS: VPS Offsite

Workstation ovpn IP: 172.28.240.10

Router ovpn ip: 172.28.240.20
Router LAN IP: 172.29.240.1 Network range: 172.29.240.0/24
Laptop LAN IP: 172.29.240.154

Ping Router ovpn ip: 172.28.240.20 Response
Ping Router LAN IP: 172.29.240.1 Response
Laptop LAN IP: 172.29.240.154 NO Response or any other IP adres NO Response

(Last edited by jsl17 on 15 Dec 2016, 01:04)

Post #2

ulmwind

15 Dec 2016, 08:12

jsl17, as far as I've understood, your router is running OpenVPN client. So you should add route to 29 network on your OpenVPN server. Also it is strange, that 29 LAN address of router responds, whereas other network doesn't. Check also iptables settings of router running client.

(Last edited by ulmwind on 15 Dec 2016, 08:18)

Post #3

jsl17

15 Dec 2016, 09:19

ulmwind wrote:

jsl17, as far as I've understood, your router is running OpenVPN client. So you should add route to 29 network on your OpenVPN server. Also it is strange, that 29 LAN address of router responds, whereas other network doesn't. Check also iptables settings of router running client.

Thanks for the fast response.

On de AS i've set the ovpn client to "VPN gateway"
Configure VPN Gateway: Y
Allow client to act as VPN gateway
for these client-side subnets: 172.29.240.0/24

How can i check the iptables on OpenWRT luci ?

(Last edited by jsl17 on 15 Dec 2016, 10:38)

Post #4

ulmwind

15 Dec 2016, 12:48

jsl17, I don't understand your router configuration. Please, bring ouput of

ifconfig

command from router. Provide also output of

iptables -nvL

command. Check and filter private data before posting. You can check iptables in LuCI in section like Network -> Firewall.

Post #5

jsl17

16 Dec 2016, 17:18

ifconfig

root@GL-MT300A:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr E4:95:6E:40:F4:FB
          inet addr:172.29.240.1  Bcast:172.29.240.255  Mask:255.255.255.0
          inet6 addr: fddf:245a:8140::1%8055528/60 Scope:Global
          inet6 addr: fe80::e695:6eff:fe40:f4fb%8055528/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22499 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19763 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2111875 (2.0 MiB)  TX bytes:3638419 (3.4 MiB)

eth0      Link encap:Ethernet  HWaddr E4:95:6E:40:F4:FB
          inet6 addr: fe80::e695:6eff:fe40:f4fb%8054632/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3327 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7959 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1187163 (1.1 MiB)  TX bytes:1635616 (1.5 MiB)
          Interrupt:5

eth0.1    Link encap:Ethernet  HWaddr E4:95:6E:40:F4:FB
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1176 errors:0 dropped:4 overruns:0 frame:0
          TX packets:5149 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:294329 (287.4 KiB)  TX bytes:768421 (750.4 KiB)

eth0.2    Link encap:Ethernet  HWaddr E4:95:6E:40:F4:FC
          inet addr:192.168.1.109  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::e695:6eff:fe40:f4fc%8055816/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2150 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2801 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:832908 (813.3 KiB)  TX bytes:831598 (812.1 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1%8053800/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:3553 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3553 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:241239 (235.5 KiB)  TX bytes:241239 (235.5 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.28.240.20  P-t-P:172.28.240.20  Mask:255.255.240.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1369 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1421 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:490633 (479.1 KiB)  TX bytes:359771 (351.3 KiB)

wlan0     Link encap:Ethernet  HWaddr E4:95:6E:40:F4:FB
          inet6 addr: fe80::e695:6eff:fe40:f4fb%8054344/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22363 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23192 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2208392 (2.1 MiB)  TX bytes:4051789 (3.8 MiB)

root@GL-MT300A:~#

iptables -nvL

root@GL-MT300A:~# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
 3069 1020K delegate_input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
 3650 1207K delegate_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
 2874  762K delegate_output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain delegate_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 
 3650 1207K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
 3305 1154K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  345 53372 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_forward  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_VPN_client_forward  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
  117 12873 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain delegate_input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
 3069 1020K input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
 2232  932K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    3   156 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
  829 86141 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
    6  1644 zone_wan_input  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0
    2   143 zone_VPN_client_input  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0

Chain delegate_output (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0   
 2874  762K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
 2320  587K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  351  161K zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
    2   150 zone_wan_output  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0
  201 13652 zone_VPN_client_output  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0

Chain forwarding_VPN_client_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_VPN_client_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_VPN_client_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain reject (4 references)
 pkts bytes target     prot opt in     out     source               destination 
  101  5104 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
   22  9413 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    3   156 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   

Chain zone_VPN_client_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination 
  429 54151 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0   

Chain zone_VPN_client_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 reject     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0   

Chain zone_VPN_client_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 forwarding_VPN_client_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_VPN_client_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_VPN_client_input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    2   143 input_VPN_client_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
    2   143 zone_VPN_client_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_VPN_client_output (1 references)
 pkts bytes target     prot opt in     out     source               destination 
  201 13652 output_VPN_client_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
  201 13652 zone_VPN_client_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_VPN_client_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    2   143 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0   

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination 
  351  161K ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0   

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 
  345 53372 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
  345 53372 zone_VPN_client_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding lan -> VPN_client */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
  117 12873 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
  829 86141 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
  829 86141 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination 
  351  161K output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
  351  161K zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
  829 86141 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0   

Chain zone_wan_dest_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    2   150 ACCEPT     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0   

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 reject     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0   

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 MINIUPNPD  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* @rule[7] */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* @rule[8] */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    6  1644 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* Allow-IGMP */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:83 /* glservice */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:83 /* glservice */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
    6  1644 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    2   150 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
    2   150 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    6  1644 reject     all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0   
root@GL-MT300A:~#

Post #6

ulmwind

17 Dec 2016, 09:19

jsl17, thank you. Your router is running OpenVPN server. Now the question is who has IP 172.28.240.10 and who tried to ping Laptop LAN IP: 172.29.240.154? Please, provide also output of

iptables -nvL -t nat

Post #7

jsl17

17 Dec 2016, 11:25

ulmwind wrote:

jsl17, thank you. Your router is running OpenVPN server. Now the question is who has IP 172.28.240.10 and who tried to ping Laptop LAN IP: 172.29.240.154? Please, provide also output of
iptables -nvL -t nat

172.28.240.10 Is my phone and try to ping to 172.29.240.154
Be advised there is a port forward rule of a other purpose.

root@GL-MT300A:~# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 3450 packets, 558K bytes)
 pkts bytes target     prot opt in     out     source               destination 
 3450  558K delegate_prerouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 783 packets, 58047 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 957 packets, 71583 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain POSTROUTING (policy ACCEPT 43 packets, 10227 bytes)
 pkts bytes target     prot opt in     out     source               destination 
 2383  199K delegate_postrouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain delegate_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination 
 2383  199K postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */
   31  9472 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_postrouting  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0
 2340  188K zone_VPN_client_postrouting  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0

Chain delegate_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination 
 3450  558K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for prerouting */
 2328  192K zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
 1122  366K zone_wan_prerouting  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_VPN_client_prerouting  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0

Chain postrouting_VPN_client_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain prerouting_VPN_client_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain zone_VPN_client_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination 
 2340  188K postrouting_VPN_client_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */
 2340  188K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0  

Chain zone_VPN_client_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 prerouting_VPN_client_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for prerouting */
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1041 /* Systemmanager */ to:172.29.240.10:1041
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1041 /* Systemmanager */ to:172.29.240.10:1041

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination 
   31  9472 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination 
 2328  192K prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for prerouting */

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0  

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination 
 1122  366K MINIUPNPD  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
 1122  366K prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for prerouting */
root@GL-MT300A:~#

Post #8

ulmwind

17 Dec 2016, 12:24

jsl17, thank you. I can't understand, how your phone with IP 172.28.240.10 is connected with your router with settings you've provided? Where is LAN 172.28.240.0 located?

(Last edited by ulmwind on 17 Dec 2016, 12:24)

Post #9

jsl17

17 Dec 2016, 15:43

ulmwind wrote:

jsl17, thank you. I can't understand, how your phone with IP 172.28.240.10 is connected with your router with settings you've provided? Where is LAN 172.28.240.0 located?

28 network is the overall ovpn subnet, please see my diagram.

Https link drive.google.com/open?id=0B20DIZI72_A-dEFaTnI3eEhUZVk

Post #10

ExaltedVanguard

17 Dec 2016, 16:50

Ensure you've pushed the proper routes to your openvpn clients.

Go to Luci interface>network>firewall. Ensure that you've enabled forwarding between the LAN and VPN zones in both directions. You may need to also enable masquerading on the VPN zone.

Protip:
If you're testing with windows clients, make sure you disable the windows firewall first. Unless you've mucked about in the firewall rules to specifically change it, windows will only respond to ICMP pings/traceroutes/etc if it's connected to a "private" network AND the ping is originating from within the same subnet as the windows client. Took me an embarrassingly long time to figure that one out.

Post #11

ulmwind

17 Dec 2016, 22:22

jsl17, got it finally. It is very strange, that you can ping from location B IP 172.29.240.1, but can't ping from location B IP 172.29.240.254 from the same subnet. Is it correct? Try to ping 172.29.240.254 IP from router 172.29.240.1 directly.

(Last edited by ulmwind on 17 Dec 2016, 22:23)

Post #12

jsl17

18 Dec 2016, 11:43

ulmwind wrote:

jsl17, got it finally. It is very strange, that you can ping from location B IP 172.29.240.1, but can't ping from location B IP 172.29.240.254 from the same subnet. Is it correct? Try to ping 172.29.240.254 IP from router 172.29.240.1 directly.

its 172.29.240.154

Here is my ping results
https link drive.google.com/file/d/0B20DIZI72_A-Qk5yLWcybG85SVE/view?usp=sharing

(Last edited by jsl17 on 18 Dec 2016, 11:44)

Post #13

jsl17

18 Dec 2016, 11:48

ExaltedVanguard wrote:

Ensure you've pushed the proper routes to your openvpn clients.
Go to Luci interface>network>firewall. Ensure that you've enabled forwarding between the LAN and VPN zones in both directions. You may need to also enable masquerading on the VPN zone.
Protip:
If you're testing with windows clients, make sure you disable the windows firewall first. Unless you've mucked about in the firewall rules to specifically change it, windows will only respond to ICMP pings/traceroutes/etc if it's connected to a "private" network AND the ping is originating from within the same subnet as the windows client. Took me an embarrassingly long time to figure that one out.

Hi ExaltedVanguard,

Here's screenshot of my firewall. Firewall on Windows clients is of off.

http link drive.google.com/file/d/0B20DIZI72_A-eDc0VXFoTGdlUU0/view?usp=sharing

Post #14

ulmwind

18 Dec 2016, 12:50

jsl17, you've provided result for ping FROM Device A. I asked result for ping FROM 172.29.240.1

Post #15

jsl17

18 Dec 2016, 14:08

ulmwind wrote:

jsl17, you've provided result for ping FROM Device A. I asked result for ping FROM 172.29.240.1

Sorry,
Ping from 172.29.240.1 (Router) to 172.29.240.154

PING 172.29.240.154 (172.29.240.154): 56 data bytes
64 bytes from 172.29.240.154: seq=0 ttl=128 time=0.900 ms
64 bytes from 172.29.240.154: seq=1 ttl=128 time=0.680 ms
64 bytes from 172.29.240.154: seq=2 ttl=128 time=0.660 ms
64 bytes from 172.29.240.154: seq=3 ttl=128 time=0.600 ms
64 bytes from 172.29.240.154: seq=4 ttl=128 time=0.620 ms

--- 172.29.240.166 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.600/0.692/0.900 ms

(Last edited by jsl17 on 18 Dec 2016, 14:09)

Post #16

ulmwind

18 Dec 2016, 14:25

jsl17, the result is very strange, ping time is too great for direct connection to router.
Now please, reproduce your previous result, ping FROM Location B 172.29.240.1, 172.29.240.154 Also tracert from the same location the same IPs.

(Last edited by ulmwind on 18 Dec 2016, 14:49)

Post #17

jsl17

18 Dec 2016, 16:13

ulmwind wrote:

jsl17, the result is very strange, ping time is too great for direct connection to router.
Now please, reproduce your previous result, ping FROM Location B 172.29.240.1, 172.29.240.154 Also tracert from the same location the same IPs.

Location B 172.28.240.10
traceroute to 172.29.240.154 (172.29.240.154) , 5 relative hops max, 52 byte packets
1 172.27.232.1 (172.27.232.1) 90.026 ms 112.281 ms 117.892 ms "OVPN Access Server on VPS"
2 172.28.240.20 (172.28.240.20) 93.763 ms 99.444 ms 105.478 ms "Router VPN IP"
3 172.28.240.20 (172.28.240.20) 87.108 ms 99.008 ms 109.025 ms

traceroute to 172.29.240.1 (172.29.240.1) , 5 relative hops max, 52 byte packets
1 172.27.232.1 (172.27.232.1) 1309.572 ms 1339.628 ms 1449.248 ms "OVPN Access Server on VPS"
2 172.29.240.1 (172.29.240.1) 794.564 ms 799.483 ms 803.321 ms "Router LAN-port IP"

Location C
Router
172.28.240.20 VPN IP
172.29.240.1 LAN IP
PING 172.29.240.154 (172.29.240.154): 56 data bytes
64 bytes from 172.29.240.154: seq=0 ttl=128 time=0.900 ms
64 bytes from 172.29.240.154: seq=1 ttl=128 time=0.680 ms
64 bytes from 172.29.240.154: seq=2 ttl=128 time=0.660 ms
64 bytes from 172.29.240.154: seq=3 ttl=128 time=0.600 ms
64 bytes from 172.29.240.154: seq=4 ttl=128 time=0.620 ms

--- 172.29.240.154 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.600/0.692/0.900 ms

traceroute to 172.29.240.154 (172.29.240.154), 30 hops max, 38 byte packets
1 172.29.240.154 0.680 ms

Maybe high ping, but cable is only 30cm
Firewall settings
https link drive.google.com/file/d/0B20DIZI72_A-eDc0VXFoTGdlUU0/view?usp=sharing

(Last edited by jsl17 on 18 Dec 2016, 16:14)

Post #18

ulmwind

18 Dec 2016, 16:26

jsl17, what is the network 172.27.232.1? I can't see it neither on diagram nor in thread.

Post #19

jsl17

18 Dec 2016, 17:06

ulmwind wrote:

jsl17, what is the network 172.27.232.1? I can't see it neither on diagram nor in thread.

172.27.232.1 OpenVpn Access Server

27 subnet is the DHCP IP-pool
28 subnet is the Static IP-pool

Post #20

ulmwind

18 Dec 2016, 17:16

jsl17, bring routing table of OpenVpn Access Server.

Post #21

jsl17

18 Dec 2016, 18:08

ulmwind wrote:

jsl17, bring routing table of OpenVpn Access Server.

iptables:

ovpn AS
ovpn client vpn-gateway

ovpn AS 172.27.232.1

:~# sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
AS0_ACCEPT  all  --  anywhere             anywhere             state RELATED,EST                                                        ABLISHED
AS0_ACCEPT  all  --  anywhere             anywhere
AS0_IN_PRE  all  --  anywhere             anywhere             mark match 0x2000                                                        000/0x2000000
AS0_ACCEPT  tcp  --  anywhere             *********************.net  state NEW t                                                        cp dpt:915
AS0_ACCEPT  tcp  --  anywhere             *********************.net  state NEW t                                                        cp dpt:914
AS0_ACCEPT  udp  --  anywhere             *********************.net  state NEW u                                                        dp dpt:917
AS0_ACCEPT  udp  --  anywhere             *********************.net  state NEW u                                                        dp dpt:916
AS0_WEBACCEPT  all  --  anywhere             anywhere             state RELATED,                                                        ESTABLISHED
AS0_WEBACCEPT  tcp  --  anywhere             *********************.net  state NE                                                        W tcp dpt:943
ufw-before-logging-input  all  --  anywhere             anywhere
ufw-before-input  all  --  anywhere             anywhere
ufw-after-input  all  --  anywhere             anywhere
ufw-after-logging-input  all  --  anywhere             anywhere
ufw-reject-input  all  --  anywhere             anywhere
ufw-track-input  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
AS0_ACCEPT  all  --  anywhere             anywhere             state RELATED,EST                                                        ABLISHED
AS0_IN_PRE  all  --  anywhere             anywhere             mark match 0x2000                                                        000/0x2000000
AS0_OUT_S2C  all  --  anywhere             anywhere
ufw-before-logging-forward  all  --  anywhere             anywhere
ufw-before-forward  all  --  anywhere             anywhere
ufw-after-forward  all  --  anywhere             anywhere
ufw-after-logging-forward  all  --  anywhere             anywhere
ufw-reject-forward  all  --  anywhere             anywhere
ufw-track-forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
AS0_OUT_LOCAL  all  --  anywhere             anywhere
ufw-before-logging-output  all  --  anywhere             anywhere
ufw-before-output  all  --  anywhere             anywhere
ufw-after-output  all  --  anywhere             anywhere
ufw-after-logging-output  all  --  anywhere             anywhere
ufw-reject-output  all  --  anywhere             anywhere
ufw-track-output  all  --  anywhere             anywhere

Chain AS0_ACCEPT (7 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain AS0_IN (4 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             172.27.224.1
AS0_U_GOWS0153_IN  all  --  172.28.240.30        anywhere
AS0_U_IPHONE_IN  all  --  172.28.240.10        anywhere
AS0_IN_POST  all  --  anywhere             anywhere

Chain AS0_IN_NAT (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK or 0x8000000
ACCEPT     all  --  anywhere             anywhere

Chain AS0_IN_POST (3 references)
target     prot opt source               destination
AS0_OUT    all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain AS0_IN_PRE (2 references)
target     prot opt source               destination
AS0_IN     all  --  anywhere             link-local/16
AS0_IN     all  --  anywhere             192.168.0.0/16
AS0_IN     all  --  anywhere             172.16.0.0/12
AS0_IN     all  --  anywhere             10.0.0.0/8
ACCEPT     all  --  anywhere             anywhere

Chain AS0_IN_ROUTE (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK or 0x4000000
ACCEPT     all  --  anywhere             anywhere

Chain AS0_OUT (2 references)
target     prot opt source               destination
AS0_U_GOWS0153_OUT  all  --  anywhere             172.28.240.30
AS0_U_MINIROUT_OUT  all  --  anywhere             172.28.240.20
AS0_U_MINIROUT_OUT  all  --  anywhere             172.29.240.0/24
AS0_U_IPHONE_OUT  all  --  anywhere             172.28.240.10
AS0_OUT_POST  all  --  anywhere             anywhere

Chain AS0_OUT_LOCAL (1 references)
target     prot opt source               destination
DROP       icmp --  anywhere             anywhere             icmp redirect
ACCEPT     all  --  anywhere             anywhere

Chain AS0_OUT_POST (4 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain AS0_OUT_S2C (1 references)
target     prot opt source               destination
AS0_OUT    all  --  anywhere             anywhere

Chain AS0_U_GOWS0153_IN (1 references)
target     prot opt source               destination
AS0_IN_NAT  all  --  anywhere             172.28.240.10
AS0_IN_POST  all  --  anywhere             anywhere

Chain AS0_U_GOWS0153_OUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  172.29.240.0/24      anywhere
ACCEPT     all  --  172.27.224.0/20      anywhere
ACCEPT     all  --  172.28.240.0/20      anywhere
AS0_OUT_POST  all  --  anywhere             anywhere

Chain AS0_U_IPHONE_IN (1 references)
target     prot opt source               destination
AS0_IN_ROUTE  all  --  anywhere             172.29.240.0/24
AS0_IN_POST  all  --  anywhere             anywhere

Chain AS0_U_IPHONE_OUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  172.29.240.0/24      anywhere
ACCEPT     all  --  172.27.224.0/20      anywhere
ACCEPT     all  --  172.28.240.0/20      anywhere
AS0_OUT_POST  all  --  anywhere             anywhere

Chain AS0_U_MINIROUT_OUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  172.29.240.0/24      anywhere
ACCEPT     all  --  172.27.224.0/20      anywhere
ACCEPT     all  --  172.28.240.0/20      anywhere
AS0_OUT_POST  all  --  anywhere             anywhere

Chain AS0_WEBACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-after-forward (1 references)
target     prot opt source               destination

Chain ufw-after-input (1 references)
target     prot opt source               destination
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp                                                         dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp                                                         dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp                                                         dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp                                                         dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp                                                         dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp                                                         dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADD                                                        RTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min b                                                        urst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min b                                                        urst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination

Chain ufw-after-output (1 references)
target     prot opt source               destination

Chain ufw-before-forward (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ES                                                        TABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-u                                                        nreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-pro                                                        blem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere

Chain ufw-before-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ES                                                        TABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INV                                                        ALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-u                                                        nreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-pro                                                        blem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt                                                        :bootpc
ufw-not-local  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination

Chain ufw-before-output (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ES                                                        TABLISHED
ufw-user-output  all  --  anywhere             anywhere

Chain ufw-logging-allow (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min b                                                        urst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             ctstate INVALID li                                                        mit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min b                                                        urst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst                                                        -type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst                                                        -type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst                                                        -type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg                                                         3/min burst 10
DROP       all  --  anywhere             anywhere

Chain ufw-reject-forward (1 references)
target     prot opt source               destination

Chain ufw-reject-input (1 references)
target     prot opt source               destination

Chain ufw-reject-output (1 references)
target     prot opt source               destination

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-track-forward (1 references)
target     prot opt source               destination

Chain ufw-track-input (1 references)
target     prot opt source               destination

Chain ufw-track-output (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination

Chain ufw-user-input (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain ufw-user-limit (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min b                                                        urst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-p                                                        ort-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination

Chain ufw-user-output (1 references)
target     prot opt source               destination

And iptable of the VPN Gateway 172.29.240.1

   ______  _____          ____    ____  _________  ______     ____      ____
 .' ___  ||_   _|        |_   \  /   _||  _   _  |/ ____ `. .'    '.  .'    '.
/ .'   \_|  | |     ______ |   \/   |  |_/ | | \_|`'  __) ||  .--.  ||  .--.  |
| |   ____  | |   _|______|| |\  /| |      | |    _  |__ '.| |    | || |    | |
\ `.___]  |_| |__/ |      _| |_\/_| |_    _| |_  | \____) ||  `--'  ||  `--'  |
 `._____.'|________|     |_____||_____|  |_____|  \______.' '.____.'  '.____.'
                   O P E N W R T     W I R E L E S S    F R E E D O M                                                                
root@GL-MT300A:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
delegate_input  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
delegate_forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
delegate_output  all  --  anywhere             anywhere

Chain MINIUPNPD (1 references)
target     prot opt source               destination

Chain delegate_forward (1 references)
target     prot opt source               destination
forwarding_rule  all  --  anywhere             anywhere             /* user chai                                                     n for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ES                                                     TABLISHED
zone_lan_forward  all  --  anywhere             anywhere
zone_wan_forward  all  --  anywhere             anywhere
zone_VPN_client_forward  all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain delegate_input (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
input_rule  all  --  anywhere             anywhere             /* user chain for                                                      input */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ES                                                     TABLISHED
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,                                                     RST,ACK/SYN
zone_lan_input  all  --  anywhere             anywhere
zone_wan_input  all  --  anywhere             anywhere
zone_VPN_client_input  all  --  anywhere             anywhere

Chain delegate_output (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
output_rule  all  --  anywhere             anywhere             /* user chain fo                                                     r output */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ES                                                     TABLISHED
zone_lan_output  all  --  anywhere             anywhere
zone_wan_output  all  --  anywhere             anywhere
zone_VPN_client_output  all  --  anywhere             anywhere

Chain forwarding_VPN_client_rule (1 references)
target     prot opt source               destination

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain input_VPN_client_rule (1 references)
target     prot opt source               destination

Chain input_lan_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan_rule (1 references)
target     prot opt source               destination

Chain output_VPN_client_rule (1 references)
target     prot opt source               destination

Chain output_lan_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

Chain output_wan_rule (1 references)
target     prot opt source               destination

Chain reject (4 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-re                                                     set
REJECT     all  --  anywhere             anywhere             reject-with icmp-p                                                     ort-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,                                                     RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all  --  anywhere             anywhere

Chain zone_VPN_client_dest_ACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain zone_VPN_client_dest_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere

Chain zone_VPN_client_forward (1 references)
target     prot opt source               destination
forwarding_VPN_client_rule  all  --  anywhere             anywhere             /                                                     * user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Ac                                                     cept port forwards */
zone_VPN_client_dest_REJECT  all  --  anywhere             anywhere

Chain zone_VPN_client_input (1 references)
target     prot opt source               destination
input_VPN_client_rule  all  --  anywhere             anywhere             /* use                                                     r chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Ac                                                     cept port redirections */
zone_VPN_client_src_ACCEPT  all  --  anywhere             anywhere

Chain zone_VPN_client_output (1 references)
target     prot opt source               destination
output_VPN_client_rule  all  --  anywhere             anywhere             /* us                                                     er chain for output */
zone_VPN_client_dest_ACCEPT  all  --  anywhere             anywhere

Chain zone_VPN_client_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain zone_lan_dest_ACCEPT (4 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all  --  anywhere             anywhere             /* user                                                      chain for forwarding */
zone_VPN_client_dest_ACCEPT  all  --  anywhere             anywhere                                                                  /* forwarding lan -> VPN_client */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Ac                                                     cept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_input (1 references)
target     prot opt source               destination
input_lan_rule  all  --  anywhere             anywhere             /* user chain                                                      for input */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Ac                                                     cept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_output (1 references)
target     prot opt source               destination
output_lan_rule  all  --  anywhere             anywhere             /* user chai                                                     n for output */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain zone_wan_dest_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere

Chain zone_wan_forward (1 references)
target     prot opt source               destination
MINIUPNPD  all  --  anywhere             anywhere
forwarding_wan_rule  all  --  anywhere             anywhere             /* user                                                      chain for forwarding */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* @rul                                                     e[7] */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt                                                     :isakmp /* @rule[8] */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Ac                                                     cept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere

Chain zone_wan_input (1 references)
target     prot opt source               destination
input_wan_rule  all  --  anywhere             anywhere             /* user chain                                                      for input */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /*                                                      Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request                                                      /* Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* Allow-IGMP */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:83 /* glse                                                     rvice */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:83 /* glse                                                     rvice */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Ac                                                     cept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere

Chain zone_wan_output (1 references)
target     prot opt source               destination
output_wan_rule  all  --  anywhere             anywhere             /* user chai                                                     n for output */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere
root@GL-MT300A:~#

(Last edited by jsl17 on 18 Dec 2016, 18:20)

Post #22

ulmwind

18 Dec 2016, 18:25

jsl17, routing table, not firewall - iptables. Something like

ip rule list

route -n

Post #23

jsl17

18 Dec 2016, 18:47

ulmwind wrote:

jsl17, bring routing table of OpenVpn Access Server.

Dear ulmwind,

Many thanks for you're help, but found the answer.

opvn client vpn-gateway 172.28.240.20 / 172.29.240.1
I had to add a rule to the firewall.

Allow forward to destination zones: LAN

And turn off "Masquerading"

Post #24

ulmwind

19 Dec 2016, 09:34

jsl17, please, bring final output of iptables -nvL.

The discussion might have continued from here.

Page 1 of 1