Turns out I needed to masquerade the traffic coming into that INSIDE node.
Since I use UFW to manage IPtables, adding this to my /etc/ufw/before.rules and
restarting UFW fixed it for me:
" -A POSTROUTING -s 10.9.0.0/24 -o eth1 -j MASQUERADE"
Very Respectfully,
Kismet-Gerald Agbasi
IT/Systems Administrator
Central Truck Center, Inc.
Office: 240-487-3315
Toll Free: 1-800-492-0709
Fax: 240-487-3399
3839 Ironwood Place
Landover, MD 20785
www.centraltruckcenter.com
This message may contain confidential and/or proprietary information, and is
intended for the person or entity to which it is addressed.
Any use by others for all other purposes is strictly prohibited.
_________________________________________________________________________________________________________
3839 Ironwood Place | Landover, MD | 20785
-----Original Message-----
From: Kismet Agbasi [mailto:kagbasi at centraltruck.net]
Sent: Thursday, October 6, 2016 12:17 PM
To: 'Keith' <keith at rhizomatica.org>; 'tinc at
tinc-vpn.org' <tinc at tinc-vpn.org>
Subject: RE: Can't Route LAN Traffic Behind Tinc Network
Oh yes - so ubuntu2 is the linux host running tinc on my LAN (the one I'm
referring to as INSIDE node). I can ping it from my Windows machine and vice
versa without any trouble. I can also ping all other devices on my LAN from
ubuntu2 and vice versa, also without any issues. Output of "tcpdump -I
eth1 icmp" confirms that packets are reaching the box and going out on the
correct interface. 10.9.0.4 is the tinc IP address of EXTERNAL node.
root at ubuntu2:~# tcpdump -i eth1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
12:12:44.625280 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 1, length 64
12:12:45.630867 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 2, length 64
12:12:46.638898 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 3, length 64
12:12:47.646764 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 4, length 64
12:12:48.654765 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 5, length 64
12:12:49.662973 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 6, length 64
12:12:50.670642 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 7, length 64
12:12:51.678942 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 8, length 64
12:12:52.686627 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 9, length 64
12:12:53.694864 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 10, length 64
12:12:54.702841 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 11, length 64
12:12:55.710574 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 12, length 64
12:12:56.718886 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 13, length 64
12:12:57.726749 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 14, length 64
12:12:58.734801 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606,
seq 15, length 64
^C
15 packets captured
16 packets received by filter
0 packets dropped by kernel
-----Original Message-----
From: Keith [mailto:keith at rhizomatica.org]
Sent: Thursday, October 6, 2016 11:27 AM
To: kagbasi at centraltruck.net; tinc at tinc-vpn.org
Subject: Re: Can't Route LAN Traffic Behind Tinc Network
On 06/10/2016 17:16, Kismet Agbasi wrote:> Thanks again Keith. I disabled UFW and flushed iptables completely, but
same result. Pings from the external node are reaching the internal node on the
tinc0 interface but nothing happens after that. Now that I'm thinking of
it, I did some masquerading in order to get OpenVPN to work on another box, I
wonder if that would be applicable here?
Weird. I dunno. something is missing from the picture.
You could check if the pings to 172.23.6.x are going out on the eth1 interface
with tcpdump -i eth1 icmp You are trying to ping this internal windows box via
tinc, right? (the one from where you posted a ping to 172.23.6.149?) Does it
have windows firewall enabled? Sometimes windows firewall blocks incoming pings.
can you ping it from the machine called ubuntu2?
k/
