tinc - Feb 2016 - Tinc Router Mode - PING RESULT is destination host unreachable

Hi Lars,

I have no experience to use tcpdump, here is the output from TCPdump for
your reference. Any idea?


Use my home PC to ping company PC

01:00:25.154706 ethertype IPv4, IP 192.168.1.2 > 10.0.0.2: ICMP echo
request, id 1, seq 17, length 40
01:00:25.154706 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq 17,
length 40
01:00:25.154706 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq 17,
length 40
01:00:25.155177 IP 192.168.1.1 > 192.168.1.2: ICMP 10.0.0.2 protocol 1 port
19786 unreachable, length 68
01:00:25.155225 IP 192.168.1.1 > 192.168.1.2: ICMP 10.0.0.2 protocol 1 port
19786 unreachable, length 68
01:00:26.157248 ethertype IPv4, IP 192.168.1.2 > 10.0.0.2: ICMP echo
request, id 1, seq 18, length 40
01:00:26.157248 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq 18,
length 40
01:00:26.157248 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq 18,
length 40
01:00:26.157711 IP 192.168.1.1 > 192.168.1.2: ICMP 10.0.0.2 protocol 1 port
19785 unreachable, length 68
01:00:26.157756 IP 192.168.1.1 > 192.168.1.2: ICMP 10.0.0.2 protocol 1 port
19785 unreachable, length 68
01:00:27.159698 ethertype IPv4, IP 192.168.1.2 > 10.0.0.2: ICMP echo
request, id 1, seq 19, length 40
01:00:27.159698 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq 19,
length 40
01:00:27.159698 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq 19,
length 40
01:00:27.160165 IP 192.168.1.1 > 192.168.1.2: ICMP 10.0.0.2 protocol 1 port
19784 unreachable, length 68
01:00:27.160211 IP 192.168.1.1 > 192.168.1.2: ICMP 10.0.0.2 protocol 1 port
19784 unreachable, length 68
01:00:28.163041 ethertype IPv4, IP 192.168.1.2 > 10.0.0.2: ICMP echo
request, id 1, seq 20, length 40
01:00:28.163041 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq 20,
length 40
01:00:28.163041 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq 20,
length 40
01:00:28.163506 IP 192.168.1.1 > 192.168.1.2: ICMP 10.0.0.2 protocol 1 port
19783 unreachable, length 68
01:00:28.163551 IP 192.168.1.1 > 192.168.1.2: ICMP 10.0.0.2 protocol 1 port
19783 unreachable, length 68
01:00:30.557443 ethertype IPv4, IP 192.168.1.2 > 10.0.0.1: ICMP echo
request, id 1, seq 21, length 40
01:00:30.557443 IP 192.168.1.2 > 10.0.0.1: ICMP echo request, id 1, seq 21,
length 40
01:00:30.557443 IP 192.168.1.2 > 10.0.0.1: ICMP echo request, id 1, seq 21,
length 40
01:00:30.557881 IP 10.0.0.1 > 192.168.1.2: ICMP echo reply, id 1, seq 21,
length 40
01:00:30.557927 IP 10.0.0.1 > 192.168.1.2: ICMP echo reply, id 1, seq 21,
length 40
01:00:31.560697 ethertype IPv4, IP 192.168.1.2 > 10.0.0.1: ICMP echo
request, id 1, seq 22, length 40
01:00:31.560697 IP 192.168.1.2 > 10.0.0.1: ICMP echo request, id 1, seq 22,
length 40
01:00:31.560697 IP 192.168.1.2 > 10.0.0.1: ICMP echo request, id 1, seq 22,
length 40
01:00:31.561039 IP 10.0.0.1 > 192.168.1.2: ICMP echo reply, id 1, seq 22,
length 40
01:00:31.561079 IP 10.0.0.1 > 192.168.1.2: ICMP echo reply, id 1, seq 22,
length 40
01:00:32.565071 ethertype IPv4, IP 192.168.1.2 > 10.0.0.1: ICMP echo
request, id 1, seq 23, length 40
01:00:32.565071 IP 192.168.1.2 > 10.0.0.1: ICMP echo request, id 1, seq 23,
length 40
01:00:32.565071 IP 192.168.1.2 > 10.0.0.1: ICMP echo request, id 1, seq 23,
length 40
01:00:32.565410 IP 10.0.0.1 > 192.168.1.2: ICMP echo reply, id 1, seq 23,
length 40
01:00:32.565451 IP 10.0.0.1 > 192.168.1.2: ICMP echo reply, id 1, seq 23,
length 40
01:00:33.569452 ethertype IPv4, IP 192.168.1.2 > 10.0.0.1: ICMP echo
request, id 1, seq 24, length 40
01:00:33.569452 IP 192.168.1.2 > 10.0.0.1: ICMP echo request, id 1, seq 24,
length 40
01:00:33.569452 IP 192.168.1.2 > 10.0.0.1: ICMP echo request, id 1, seq 24,
length 40
01:00:33.569877 IP 10.0.0.1 > 192.168.1.2: ICMP echo reply, id 1, seq 24,
length 40
01:00:33.569918 IP 10.0.0.1 > 192.168.1.2: ICMP echo reply, id 1, seq 24,
length 40
01:00:35.242556 ethertype IPv4, IP 192.168.1.2 > 192.168.2.1: ICMP echo
request, id 1, seq 25, length 40
01:00:35.242556 IP 192.168.1.2 > 192.168.2.1: ICMP echo request, id 1, seq
25, length 40
01:00:35.242556 IP 192.168.1.2 > 192.168.2.1: ICMP echo request, id 1, seq
25, length 40
01:00:35.243018 IP 192.168.1.1 > 192.168.1.2: ICMP 192.168.2.1 protocol 1
port 19778 unreachable, length 68
01:00:35.243063 IP 192.168.1.1 > 192.168.1.2: ICMP 192.168.2.1 protocol 1
port 19778 unreachable, length 68
01:00:36.244070 ethertype IPv4, IP 192.168.1.2 > 192.168.2.1: ICMP echo
request, id 1, seq 26, length 40
01:00:36.244070 IP 192.168.1.2 > 192.168.2.1: ICMP echo request, id 1, seq
26, length 40
01:00:36.244070 IP 192.168.1.2 > 192.168.2.1: ICMP echo request, id 1, seq
26, length 40
01:00:36.244548 IP 192.168.1.1 > 192.168.1.2: ICMP 192.168.2.1 protocol 1
port 19777 unreachable, length 68
01:00:36.244593 IP 192.168.1.1 > 192.168.1.2: ICMP 192.168.2.1 protocol 1
port 19777 unreachable, length 68
01:00:37.246363 ethertype IPv4, IP 192.168.1.2 > 192.168.2.1: ICMP echo
request, id 1, seq 27, length 40
01:00:37.246363 IP 192.168.1.2 > 192.168.2.1: ICMP echo request, id 1, seq
27, length 40
01:00:37.246363 IP 192.168.1.2 > 192.168.2.1: ICMP echo request, id 1, seq
27, length 40
01:00:37.246823 IP 192.168.1.1 > 192.168.1.2: ICMP 192.168.2.1 protocol 1
port 19776 unreachable, length 68
01:00:37.246868 IP 192.168.1.1 > 192.168.1.2: ICMP 192.168.2.1 protocol 1
port 19776 unreachable, length 68
01:00:38.248812 ethertype IPv4, IP 192.168.1.2 > 192.168.2.1: ICMP echo
request, id 1, seq 28, length 40
01:00:38.248812 IP 192.168.1.2 > 192.168.2.1: ICMP echo request, id 1, seq
28, length 40
01:00:38.248812 IP 192.168.1.2 > 192.168.2.1: ICMP echo request, id 1, seq
28, length 40
01:00:38.249276 IP 192.168.1.1 > 192.168.1.2: ICMP 192.168.2.1 protocol 1
port 19775 unreachable, length 68
01:00:38.249322 IP 192.168.1.1 > 192.168.1.2: ICMP 192.168.2.1 protocol 1
port 19775 unreachable, length 68

Use OpenWrt router to ping

01:17:15.231056 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:16.555266 IP 10.0.0.1 > 10.0.0.1: ICMP echo request, id 24869, seq 0,
length 64
01:17:16.555514 IP 10.0.0.1 > 10.0.0.1: ICMP echo reply, id 24869, seq 0,
length 64
01:17:16.590838 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:17.556106 IP 10.0.0.1 > 10.0.0.1: ICMP echo request, id 24869, seq 1,
length 64
01:17:17.556345 IP 10.0.0.1 > 10.0.0.1: ICMP echo reply, id 24869, seq 1,
length 64
01:17:17.775263 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:17.783452 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:18.556830 IP 10.0.0.1 > 10.0.0.1: ICMP echo request, id 24869, seq 2,
length 64
01:17:18.557059 IP 10.0.0.1 > 10.0.0.1: ICMP echo reply, id 24869, seq 2,
length 64
01:17:19.557536 IP 10.0.0.1 > 10.0.0.1: ICMP echo request, id 24869, seq 3,
length 64
01:17:19.557777 IP 10.0.0.1 > 10.0.0.1: ICMP echo reply, id 24869, seq 3,
length 64
01:17:20.295382 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:20.310048 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:21.512500 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:21.653524 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:21.669882 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:22.772178 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:24.715863 IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 25125, seq 0,
length 64
01:17:24.867369 IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 25125, seq 0,
length 64
01:17:24.880975 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:25.721487 IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 25125, seq 1,
length 64
01:17:25.838114 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:25.840444 IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 25125, seq 1,
length 64
01:17:25.848984 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:26.721920 IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 25125, seq 2,
length 64
01:17:26.775946 IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 25125, seq 2,
length 64
01:17:27.722331 IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 25125, seq 3,
length 64
01:17:27.817985 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:27.823082 IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 25125, seq 3,
length 64
01:17:31.580234 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:31.595471 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:31.640342 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:33.970715 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:33.978216 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:36.479992 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:36.645113 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:17:37.717665 IP 10.0.0.1 > 192.168.2.1: ICMP echo request, id 25381, seq
0, length 64
01:17:37.915851 IP 192.168.2.1 > 10.0.0.1: ICMP echo reply, id 25381, seq 0,
length 64
01:17:38.718179 IP 10.0.0.1 > 192.168.2.1: ICMP echo request, id 25381, seq
1, length 64
01:17:38.805564 IP 192.168.2.1 > 10.0.0.1: ICMP echo reply, id 25381, seq 1,
length 64
01:17:39.718578 IP 10.0.0.1 > 192.168.2.1: ICMP echo request, id 25381, seq
2, length 64
01:17:39.804755 IP 192.168.2.1 > 10.0.0.1: ICMP echo reply, id 25381, seq 2,
length 64
01:17:40.718980 IP 10.0.0.1 > 192.168.2.1: ICMP echo request, id 25381, seq
3, length 64
01:17:40.802417 IP 192.168.2.1 > 10.0.0.1: ICMP echo reply, id 25381, seq 3,
length 64
01:17:48.361731 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 25637,
seq 0, length 64
01:17:48.361801 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 25637,
seq 0, length 64
01:17:48.363071 ethertype IPv4, IP 192.168.1.2 > 192.168.1.1: ICMP echo
reply, id 25637, seq 0, length 64
01:17:48.363071 IP 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 25637, seq
0, length 64
01:17:48.363071 IP 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 25637, seq
0, length 64
01:17:49.362327 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 25637,
seq 1, length 64
01:17:49.362391 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 25637,
seq 1, length 64
01:17:49.363405 ethertype IPv4, IP 192.168.1.2 > 192.168.1.1: ICMP echo
reply, id 25637, seq 1, length 64
01:17:49.363405 IP 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 25637, seq
1, length 64
01:17:49.363405 IP 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 25637, seq
1, length 64
01:17:50.362884 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 25637,
seq 2, length 64
01:17:50.362952 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 25637,
seq 2, length 64
01:17:50.364043 ethertype IPv4, IP 192.168.1.2 > 192.168.1.1: ICMP echo
reply, id 25637, seq 2, length 64
01:17:50.364043 IP 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 25637, seq
2, length 64
01:17:50.364043 IP 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 25637, seq
2, length 64
01:17:51.363467 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 25637,
seq 3, length 64
01:17:51.363533 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 25637,
seq 3, length 64
01:17:51.364624 ethertype IPv4, IP 192.168.1.2 > 192.168.1.1: ICMP echo
reply, id 25637, seq 3, length 64
01:17:51.364624 IP 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 25637, seq
3, length 64
01:17:51.364624 IP 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 25637, seq
3, length 64

Use company PC to ping

01:23:03.327966 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:04.816391 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:05.211811 IP 10.0.0.2 > 192.168.1.1: ICMP echo request, id 1, seq
2853, length 40
01:23:05.212180 IP 192.168.1.1 > 10.0.0.2: ICMP echo reply, id 1, seq 2853,
length 40
01:23:05.228221 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:06.200953 IP 10.0.0.2 > 192.168.1.1: ICMP echo request, id 1, seq
2854, length 40
01:23:06.201255 IP 192.168.1.1 > 10.0.0.2: ICMP echo reply, id 1, seq 2854,
length 40
01:23:06.289783 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:07.350522 IP 10.0.0.2 > 192.168.1.1: ICMP echo request, id 1, seq
2855, length 40
01:23:07.350827 IP 192.168.1.1 > 10.0.0.2: ICMP echo reply, id 1, seq 2855,
length 40
01:23:09.449526 IP 10.0.0.2 > 192.168.1.1: ICMP echo request, id 1, seq
2856, length 40
01:23:09.449832 IP 192.168.1.1 > 10.0.0.2: ICMP echo reply, id 1, seq 2856,
length 40
01:23:09.725296 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:11.425411 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:12.237556 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:12.262528 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:13.651353 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:13.715695 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:15.982798 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:16.007804 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:16.156518 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:16.165304 IP 10.0.0.2 > 10.0.0.1: ICMP echo request, id 1, seq 2857,
length 40
01:23:16.165707 IP 10.0.0.1 > 10.0.0.2: ICMP echo reply, id 1, seq 2857,
length 40
01:23:17.150963 IP 10.0.0.2 > 10.0.0.1: ICMP echo request, id 1, seq 2858,
length 40
01:23:17.151264 IP 10.0.0.1 > 10.0.0.2: ICMP echo reply, id 1, seq 2858,
length 40
01:23:18.156261 IP 10.0.0.2 > 10.0.0.1: ICMP echo request, id 1, seq 2859,
length 40
01:23:18.156564 IP 10.0.0.1 > 10.0.0.2: ICMP echo reply, id 1, seq 2859,
length 40
01:23:19.157767 IP 10.0.0.2 > 10.0.0.1: ICMP echo request, id 1, seq 2860,
length 40
01:23:19.158072 IP 10.0.0.1 > 10.0.0.2: ICMP echo reply, id 1, seq 2860,
length 40
01:23:20.509029 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:21.669120 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:22.895954 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:25.466373 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:27.930107 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:27.938637 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:28.176923 IP 192.168.1.1 > 192.168.1.1: ICMP 218.188.88.37 unreachable
- need to frag (mtu 1480), length 556
01:23:29.808414 IP 10.0.0.2 > 192.168.1.2: ICMP echo request, id 1, seq
2865, length 40
01:23:29.808828 IP 10.0.0.1 > 10.0.0.2: ICMP 192.168.1.2 protocol 1 port
16938 unreachable, length 68
01:23:30.835163 IP 10.0.0.2 > 192.168.1.2: ICMP echo request, id 1, seq
2866, length 40
01:23:30.835578 IP 10.0.0.1 > 10.0.0.2: ICMP 192.168.1.2 protocol 1 port
16937 unreachable, length 68
01:23:31.831244 IP 10.0.0.2 > 192.168.1.2: ICMP echo request, id 1, seq
2867, length 40
01:23:31.831657 IP 10.0.0.1 > 10.0.0.2: ICMP 192.168.1.2 protocol 1 port
16936 unreachable, length 68
01:23:32.832992 IP 10.0.0.2 > 192.168.1.2: ICMP echo request, id 1, seq
2868, length 40
01:23:32.833452 IP 10.0.0.1 > 10.0.0.2: ICMP 192.168.1.2 protocol 1 port
16935 unreachable, length 68

Regards,
Eric

-----Original Message-----
From: Lars Kruse [mailto:lists at sumpfralle.de] 
Sent: Saturday, February 13, 2016 1:24 AM
To: tinc at tinc-vpn.org
Subject: Re: Tinc Router Mode - PING RESULT is destination host unreachable

Hi Eric,


Am Fri, 12 Feb 2016 23:51:59 +0800
schrieb Eric Yau <ericyaukhy at hotmail.com>:
> [..]
> Question: On home side (OpenWrt Router) and company side (Windows 7 
> PC), I can ping all the IP addresses. But on Home PC (Behind the 
> OPENWRT Router), I cannot ping to Company (Windows 7 PC) and Company 
> (Server A). The PING RESULT is destination host unreachable. Any idea
about that?

at this point I would usually try to find out the following details:
* does the ping packet reach its target?
* does the request packet contain the expected source address?
* is a response packet generated?
* does the response packet go through the expected stations?

All of the above questions can be answered by running tcpdump (e.g.
"tcpdump
-ni any icmp") on the machine in question.

It will probably boil down to a routing/nat or a firewall (iptables) issue,
I guess. The "destination host unreachable" error message should
indicate
which host fails or refuses to deliver the packet.

Cheers,
Lars

Hi Eric,

Am Sun, 14 Feb 2016 01:26:22 +0800
schrieb Eric Yau <ericyaukhy at hotmail.com>:
> I have no experience to use tcpdump, here is the output from TCPdump for
> your reference. Any idea?
A good start for understanding tcpdump is to imagine beforehand which packets
you do expect (request, response with source and target addresses).

> Use my home PC to ping company PC
> 
> 01:00:25.154706 ethertype IPv4, IP 192.168.1.2 > 10.0.0.2: ICMP echo
> request, id 1, seq 17, length 40
> 01:00:25.154706 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq
17,
> length 40
> 01:00:25.154706 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, seq
17,
> length 40
> 01:00:25.155177 IP 192.168.1.1 > 192.168.1.2: ICMP 10.0.0.2 protocol 1
port
> 19786 unreachable, length 68
> 01:00:25.155225 IP 192.168.1.1 > 192.168.1.2: ICMP 10.0.0.2 protocol 1
port
> 19786 unreachable, length 68
I understand the packets above like this:
* 192.168.1.2 sends a packet via 192.168.1.1 to 10.0.0.2 (according to your
  network graph)
* It is a bit confusing, that the same packet passes twice through the host
  that is watching the traffic. I am not sure about this.
* 192.168.1.1 sends an "unreachable" reply. Thus 192.168.1.1 is the
crucial
  point of misconfiguration - either due to routing, firewalling or physical
  disconnection.
* Since the "unreachable" packets are returned quite quickly (within a
few
  milliseconds) I assume that 192.168.1.1 did not even try to reach 10.0.0.2 -
  thus it is probably a firewalling issue.

I am not sure, at which position / on which host you recorded the tcpdump
output. Next time you could add this information, as well.

> Use OpenWrt router to ping
> 
> [..]
>
> 01:17:24.715863 IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 25125, seq
0,
> length 64
> 01:17:24.867369 IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 25125, seq
0,
> length 64
This proves the 10.0.0.1 can reach 10.0.0.2 and vice versa.

> 01:17:37.717665 IP 10.0.0.1 > 192.168.2.1: ICMP echo request, id 25381,
seq
> 0, length 64
> 01:17:37.915851 IP 192.168.2.1 > 10.0.0.1: ICMP echo reply, id 25381,
seq 0,
> length 64
Same connection as above - but with different IPs - it works.

> Use company PC to ping
> 
> 01:23:05.211811 IP 10.0.0.2 > 192.168.1.1: ICMP echo request, id 1, seq
> 2853, length 40
> 01:23:05.212180 IP 192.168.1.1 > 10.0.0.2: ICMP echo reply, id 1, seq
2853,
> length 40
Same connection as above - but with different IPs - it works.

> 01:23:16.165304 IP 10.0.0.2 > 10.0.0.1: ICMP echo request, id 1, seq
2857,
> length 40
> 01:23:16.165707 IP 10.0.0.1 > 10.0.0.2: ICMP echo reply, id 1, seq 2857,
> length 40
Already tested above, as well.

> 01:23:29.808414 IP 10.0.0.2 > 192.168.1.2: ICMP echo request, id 1, seq
> 2865, length 40
> 01:23:29.808828 IP 10.0.0.1 > 10.0.0.2: ICMP 192.168.1.2 protocol 1 port
> 16938 unreachable, length 68
Again: the openwrt router (192.168.1.1) denies packets between 192.168.2.1 and
192.168.1.2 - this time from the other direction.

Thus 192.168.1.1 seems to cause the problem. Probably you did not allow the
traffic flow that you are going after.
This should be strictly an firewalling or openwrt issue. You should check your
firewall zones (as openwrt calls it) and the allowed packet flows between these
zones.

Cheers,
Lars

Hi Lars,

Once I modify the firewall FORWARD rule to ACCEPT. I can ping and access my
company PC at home. All traffic can pass through that. But I think it is not
a good practice to change the FORWARD rule to ACCEPT. Any idea to check and
just allow the tinc VPN traffic only? Instead of allow everything pass
through the FORWARD rule.

Regards,
Eric

-----Original Message-----
From: Lars Kruse [mailto:lists at sumpfralle.de] 
Sent: Sunday, February 14, 2016 8:59 PM
To: tinc at tinc-vpn.org
Subject: Re: Tinc Router Mode - PING RESULT is destination host unreachable

Hi Eric,

Am Sun, 14 Feb 2016 01:26:22 +0800
schrieb Eric Yau <ericyaukhy at hotmail.com>:
> I have no experience to use tcpdump, here is the output from TCPdump 
> for your reference. Any idea?
A good start for understanding tcpdump is to imagine beforehand which
packets you do expect (request, response with source and target addresses).

> Use my home PC to ping company PC
> 
> 01:00:25.154706 ethertype IPv4, IP 192.168.1.2 > 10.0.0.2: ICMP echo 
> request, id 1, seq 17, length 40
> 01:00:25.154706 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, 
> seq 17, length 40
> 01:00:25.154706 IP 192.168.1.2 > 10.0.0.2: ICMP echo request, id 1, 
> seq 17, length 40
> 01:00:25.155177 IP 192.168.1.1 > 192.168.1.2: ICMP 10.0.0.2 protocol 1 
> port
> 19786 unreachable, length 68
> 01:00:25.155225 IP 192.168.1.1 > 192.168.1.2: ICMP 10.0.0.2 protocol 1 
> port
> 19786 unreachable, length 68
I understand the packets above like this:
* 192.168.1.2 sends a packet via 192.168.1.1 to 10.0.0.2 (according to your
  network graph)
* It is a bit confusing, that the same packet passes twice through the host
  that is watching the traffic. I am not sure about this.
* 192.168.1.1 sends an "unreachable" reply. Thus 192.168.1.1 is the
crucial
  point of misconfiguration - either due to routing, firewalling or physical
  disconnection.
* Since the "unreachable" packets are returned quite quickly (within a
few
  milliseconds) I assume that 192.168.1.1 did not even try to reach 10.0.0.2
-
  thus it is probably a firewalling issue.

I am not sure, at which position / on which host you recorded the tcpdump
output. Next time you could add this information, as well.

> Use OpenWrt router to ping
> 
> [..]
>
> 01:17:24.715863 IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 25125, 
> seq 0, length 64
> 01:17:24.867369 IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 25125, seq 
> 0, length 64
This proves the 10.0.0.1 can reach 10.0.0.2 and vice versa.

> 01:17:37.717665 IP 10.0.0.1 > 192.168.2.1: ICMP echo request, id 
> 25381, seq 0, length 64
> 01:17:37.915851 IP 192.168.2.1 > 10.0.0.1: ICMP echo reply, id 25381, 
> seq 0, length 64
Same connection as above - but with different IPs - it works.

> Use company PC to ping
> 
> 01:23:05.211811 IP 10.0.0.2 > 192.168.1.1: ICMP echo request, id 1, 
> seq 2853, length 40
> 01:23:05.212180 IP 192.168.1.1 > 10.0.0.2: ICMP echo reply, id 1, seq 
> 2853, length 40
Same connection as above - but with different IPs - it works.

> 01:23:16.165304 IP 10.0.0.2 > 10.0.0.1: ICMP echo request, id 1, seq 
> 2857, length 40
> 01:23:16.165707 IP 10.0.0.1 > 10.0.0.2: ICMP echo reply, id 1, seq 
> 2857, length 40
Already tested above, as well.

> 01:23:29.808414 IP 10.0.0.2 > 192.168.1.2: ICMP echo request, id 1, 
> seq 2865, length 40
> 01:23:29.808828 IP 10.0.0.1 > 10.0.0.2: ICMP 192.168.1.2 protocol 1 
> port
> 16938 unreachable, length 68
Again: the openwrt router (192.168.1.1) denies packets between 192.168.2.1
and
192.168.1.2 - this time from the other direction.

Thus 192.168.1.1 seems to cause the problem. Probably you did not allow the
traffic flow that you are going after.
This should be strictly an firewalling or openwrt issue. You should check
your firewall zones (as openwrt calls it) and the allowed packet flows
between these zones.

Cheers,
Lars