Topic: OpenVPN server on ArcherC7, client connected but can't ping LAN hosts

The content of this topic has been archived on 27 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

RadBrad87

7 May 2017, 07:09

I followed the beginner's OpenVPN guide on this site.

I am able to successfully establish a connection from my client (Android phone, cellular connection) to the OpenVPN server running on my Archer C7. I can ping my C7's IP, but I cannot ping any hosts on the LAN behind the C7.

Any idea how to debug this? Thanks in advance!

root@c7main:~# cat /tmp/openvpn.log
Sat May  6 22:34:39 2017 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 31 2016
Sat May  6 22:34:39 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Sat May  6 22:34:39 2017 Diffie-Hellman initialized with 2048 bit key
Sat May  6 22:34:39 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Sat May  6 22:34:39 2017 TUN/TAP device tun0 opened
Sat May  6 22:34:39 2017 TUN/TAP TX queue length set to 100
Sat May  6 22:34:39 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat May  6 22:34:39 2017 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sat May  6 22:34:39 2017 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sat May  6 22:34:39 2017 GID set to nogroup
Sat May  6 22:34:39 2017 UID set to nobody
Sat May  6 22:34:39 2017 UDPv4 link local (bound): [undef]
Sat May  6 22:34:39 2017 UDPv4 link remote: [undef]
Sat May  6 22:34:39 2017 MULTI: multi_init called, r=256 v=256
Sat May  6 22:34:39 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sat May  6 22:34:39 2017 Initialization Sequence Completed
Sat May  6 22:35:58 2017 208.54.4.192:20887 TLS: Initial packet from [AF_INET]208.54.4.192:20887, sid=5b4b28c1 819058ea
Sat May  6 22:35:59 2017 208.54.4.192:20887 VERIFY OK: depth=1, C=US, ST=CA, L=SanDiego, O=RadBradInc, OU=Home, CN=RadBradInc CA, name=EasyRSA, emailAddress=bradpeddigrew@gmail.com
Sat May  6 22:35:59 2017 208.54.4.192:20887 VERIFY OK: depth=0, C=US, ST=CA, L=SanDiego, O=RadBradInc, OU=Home, CN=radbrad, name=EasyRSA, emailAddress=bradpeddigrew@gmail.com
Sat May  6 22:35:59 2017 208.54.4.192:20887 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat May  6 22:35:59 2017 208.54.4.192:20887 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May  6 22:35:59 2017 208.54.4.192:20887 NOTE: --mute triggered...
Sat May  6 22:36:00 2017 208.54.4.192:20887 3 variation(s) on previous 5 message(s) suppressed by --mute
Sat May  6 22:36:00 2017 208.54.4.192:20887 [radbrad] Peer Connection Initiated with [AF_INET]208.54.4.192:20887
Sat May  6 22:36:00 2017 radbrad/208.54.4.192:20887 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sat May  6 22:36:00 2017 radbrad/208.54.4.192:20887 MULTI: Learn: 10.8.0.6 -> radbrad/208.54.4.192:20887
Sat May  6 22:36:00 2017 radbrad/208.54.4.192:20887 MULTI: primary virtual IP for radbrad/208.54.4.192:20887: 10.8.0.6
Sat May  6 22:36:01 2017 radbrad/208.54.4.192:20887 PUSH: Received control message: 'PUSH_REQUEST'
Sat May  6 22:36:01 2017 radbrad/208.54.4.192:20887 send_push_reply(): safe_cap=940
Sat May  6 22:36:01 2017 radbrad/208.54.4.192:20887 SENT CONTROL [radbrad]: 'PUSH_REPLY,comp-lzo yes,persist-key,persist-tun,topology subnet,route-gateway dhcp,route 10.10.1.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Sat May  6 22:46:46 2017 radbrad/208.54.4.192:20887 TLS: new session incoming connection from [AF_INET]208.54.4.192:20887
Sat May  6 22:46:47 2017 radbrad/208.54.4.192:20887 VERIFY OK: depth=1, C=US, ST=CA, L=SanDiego, O=RadBradInc, OU=Home, CN=RadBradInc CA, name=EasyRSA, emailAddress=bradpeddigrew@gmail.com
Sat May  6 22:46:47 2017 radbrad/208.54.4.192:20887 VERIFY OK: depth=0, C=US, ST=CA, L=SanDiego, O=RadBradInc, OU=Home, CN=radbrad, name=EasyRSA, emailAddress=bradpeddigrew@gmail.com
Sat May  6 22:46:48 2017 radbrad/208.54.4.192:20887 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat May  6 22:46:48 2017 radbrad/208.54.4.192:20887 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat May  6 22:46:48 2017 radbrad/208.54.4.192:20887 NOTE: --mute triggered...
Sat May  6 22:46:49 2017 radbrad/208.54.4.192:20887 5 variation(s) on previous 5 message(s) suppressed by --mute
Sat May  6 22:46:49 2017 radbrad/208.54.4.192:20887 PUSH: Received control message: 'PUSH_REQUEST'
Sat May  6 22:46:49 2017 radbrad/208.54.4.192:20887 send_push_reply(): safe_cap=940
Sat May  6 22:46:49 2017 radbrad/208.54.4.192:20887 SENT CONTROL [radbrad]: 'PUSH_REPLY,comp-lzo yes,persist-key,persist-tun,topology subnet,route-gateway dhcp,route 10.10.1.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
root@c7main:~#

root@c7main:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd33:7a1a:afe5::/48'

config interface 'lan'
        option ifname 'eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.10.1.1'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 2 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6'

config interface 'tun0'
        option proto 'none'
        option ifname 'tun0'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

root@c7main:~#

root@c7main:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 tun0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '56969'
        option dest_port '56969'
        option dest_ip '10.10.1.42'
        option name 'qbit'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '1194'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpn0'
        option forward 'REJECT'

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'udp'
        option src_dport '1194'
        option dest_port '1194'
        option name 'radVPN'
        option dest 'vpn'
        option dest_ip '10.8.0.1'
        option enabled '0'

config rule
        option target 'ACCEPT'
        option src '*'
        option dest_port '1194'
        option name 'radVPN1194'
        option proto 'udp'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option name 'radVPN80'
        option src '*'
        option dest_port '80'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option name 'radVPN22'
        option src '*'
        option dest_port '22'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option name 'radVPN24'
        option src '*'
        option dest_port '24'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

root@c7main:~# cat /etc/config/openvpn

config openvpn 'myvpn'
        option enabled '1'
        option dev 'tun'
        option port '1194'
        option proto 'udp'
        option comp_lzo 'yes'
        option status '/var/log/openvpn_status.log'
        option log '/tmp/openvpn.log'
        option verb '3'
        option mute '5'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option group 'nogroup'
        option ca '/etc/easy-rsa/keys/ca.crt'
        option cert '/etc/easy-rsa/keys/c7.crt'
        option key '/etc/easy-rsa/keys/c7.key'
        option dh '/etc/easy-rsa/keys/dh2048.pem'
        option mode 'server'
        option tls_server '1'
        option server '10.8.0.0 255.255.255.0'
        option route_gateway 'dhcp'
        option client_to_client '1'
        list push 'comp-lzo yes'
        list push 'persist-key'
        list push 'persist-tun'
        #list push 'user nobody'
        #list push 'user nogroup'
        list push 'topology subnet'
        list push 'route-gateway dhcp'
        list push 'route 10.10.1.0 255.255.255.0'
        #list push 'dhcp-option DNS 107.170.95.180'
        #list push 'dhcp-option DNS 50.116.40.226'
        option tun_ipv6 '0'

root@c7main:~#

Post #2

dnkru

16 May 2017, 14:03

what tells:
route -n
iptables -L -vn
iptables -t nat -L -vn
iptables -t mangle -L -vn
cat /proc/sys/net/ipv4/ip_forward
?

(Last edited by dnkru on 16 May 2017, 14:04)

Post #3

RadBrad87

23 May 2017, 00:19

Sorry, took me a while to get back this project. Here's the output:

root@c7main:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         66.75.240.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.10.1.0       0.0.0.0         255.255.255.0   U     0      0        0 br-lan
66.75.240.0     0.0.0.0         255.255.240.0   U     0      0        0 eth0
66.75.240.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth0
root@c7main:~#

root@c7main:~# iptables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 4972  478K delegate_input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
1005K  857M delegate_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 4431  798K delegate_output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain delegate_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
1005K  857M forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
1005K  857M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  324 22738 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_forward  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    2   168 zone_wan_forward  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_forward  all  --  tun1   *       0.0.0.0/0            0.0.0.0/0
    2   168 zone_vpn_forward  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain delegate_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  852 65848 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 4120  412K input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
 2565  274K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  395 20544 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
   26 16456 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Allow-Ping */
  758 60803 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
  771 60686 zone_wan_input  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_input  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_input  all  --  tun1   *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_vpn_input  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0

Chain delegate_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  852 65848 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
 3579  732K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
 3346  698K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   23  6984 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
  210 27504 zone_wan_output  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_output  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_output  all  --  *      tun1    0.0.0.0/0            0.0.0.0/0
    0     0 zone_vpn_output  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0

Chain forwarding_VPN_FW_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_VPN_FW_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_VPN_FW_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (7 references)
 pkts bytes target     prot opt in     out     source               destination
  410 21591 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
  356 38729 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
  395 20544 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_VPN_FW_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_VPN_FW_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_VPN_FW_forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_VPN_FW_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_VPN_FW_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_VPN_FW_input (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 input_VPN_FW_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
    0     0 zone_VPN_FW_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_VPN_FW_output (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_VPN_FW_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
    0     0 zone_VPN_FW_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_VPN_FW_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_dest_ACCEPT (5 references)
 pkts bytes target     prot opt in     out     source               destination
   25  7152 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
  324 22738 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
  324 22738 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding lan -> vpn */
  324 22738 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding lan -> wan */
    0     0 zone_VPN_FW_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding lan -> VPN_FW */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  758 60803 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
  758 60803 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
   23  6984 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
   23  6984 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  758 60803 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0

Chain zone_vpn_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0

Chain zone_vpn_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   168 forwarding_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    2   168 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding vpn -> wan */
    2   168 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding vpn -> lan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_vpn_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 input_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
    0     0 zone_vpn_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_vpn_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
    0     0 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_vpn_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination
  534 50242 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      tun1    0.0.0.0/0            0.0.0.0/0

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      tun1    0.0.0.0/0            0.0.0.0/0

Chain zone_wan_forward (3 references)
 pkts bytes target     prot opt in     out     source               destination
    2   168 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* @rule[7] */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* @rule[8] */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    2   168 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_input (3 references)
 pkts bytes target     prot opt in     out     source               destination
  771 60686 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* Allow-DHCP-Renew */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* Allow-IGMP */
    5   366 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194 /* Allow-OpenVPN-Inbound_2 */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
  766 60320 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_output (3 references)
 pkts bytes target     prot opt in     out     source               destination
  210 27504 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
  210 27504 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  766 60320 reject     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  tun1   *       0.0.0.0/0            0.0.0.0/0
root@c7main:~#

root@c7main:~# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 1242 packets, 129K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1242  129K delegate_prerouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 69 packets, 24490 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 777 packets, 53128 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 568 packets, 38835 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1428 84637 delegate_postrouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain delegate_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1428 84637 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */
    7  1248 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
  860 45802 zone_wan_postrouting  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_postrouting  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_postrouting  all  --  *      tun1    0.0.0.0/0            0.0.0.0/0
    0     0 zone_vpn_postrouting  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0

Chain delegate_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1242  129K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for prerouting */
  421 62620 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
  817 65907 zone_wan_prerouting  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    4   336 zone_wan_prerouting  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_prerouting  all  --  tun1   *       0.0.0.0/0            0.0.0.0/0
    4   336 zone_vpn_prerouting  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0

Chain postrouting_VPN_FW_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_VPN_FW_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_VPN_FW_postrouting (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 postrouting_VPN_FW_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_VPN_FW_prerouting (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 prerouting_VPN_FW_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for prerouting */

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    7  1248 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */
    0     0 SNAT       tcp  --  *      *       10.10.1.0/24         10.10.1.42           tcp dpt:56969 /* qbit (reflection) */ to:10.10.1.1
    0     0 SNAT       udp  --  *      *       10.10.1.0/24         10.10.1.42           udp dpt:56969 /* qbit (reflection) */ to:10.10.1.1

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
  421 62620 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for prerouting */
    0     0 DNAT       tcp  --  *      *       10.10.1.0/24         66.75.244.38         tcp dpt:56969 /* qbit (reflection) */ to:10.10.1.42:56969
    0     0 DNAT       udp  --  *      *       10.10.1.0/24         66.75.244.38         udp dpt:56969 /* qbit (reflection) */ to:10.10.1.42:56969

Chain zone_vpn_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 postrouting_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_vpn_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    4   336 prerouting_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for prerouting */

Chain zone_wan_postrouting (3 references)
 pkts bytes target     prot opt in     out     source               destination
  860 45802 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */
  860 45802 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_prerouting (3 references)
 pkts bytes target     prot opt in     out     source               destination
  821 66243 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for prerouting */
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:56969 /* qbit */ to:10.10.1.42:56969
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:56969 /* qbit */ to:10.10.1.42:56969
root@c7main:~#

root@c7main:~# iptables -t mangle -L -vn
Chain PREROUTING (policy ACCEPT 1091K packets, 925M bytes)
 pkts bytes target     prot opt in     out     source               destination
1091K  925M fwmark     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 5375 packets, 513K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 1085K packets, 924M bytes)
 pkts bytes target     prot opt in     out     source               destination
1085K  924M mssfix     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 4836 packets, 880K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1090K packets, 925M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain fwmark (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain mssfix (1 references)
 pkts bytes target     prot opt in     out     source               destination
  110  5968 TCPMSS     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp  --  *      tun0    0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp  --  *      tun1    0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU
root@c7main:~#

root@c7main:~# cat /proc/sys/net/ipv4/ip_forward
1

(Last edited by RadBrad87 on 23 May 2017, 02:38)

The discussion might have continued from here.

Page 1 of 1