Thanks Keith. Here's the output: root at ubuntu2:~# iptables -vnL FORWARD Chain FORWARD (policy ACCEPT 745 packets, 47680 bytes) pkts bytes target prot opt in out source destination 6299 416K ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0 6299 416K ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0 6299 416K ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0 6299 416K ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0 6299 416K ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0 What's interesting is when I watch this command I see the packet count increasing as I run MTR on the remote node, indicating to me that the packets are arriving and hitting the correct chain, but not making it out or going out the wrong interface......hmmm. As you can tell I use UFW so here's the output of "ufw status numbered": root at ubuntu2:~# ufw status numbered Status: active To Action From -- ------ ---- [ 1] 161 ALLOW IN Anywhere [ 2] 22 ALLOW IN Anywhere [ 3] 1194 ALLOW IN Anywhere [ 4] 655 ALLOW IN Anywhere [ 5] DNS ALLOW IN Anywhere Very Respectfully, Kismet Agbasi -----Original Message----- From: Keith [mailto:keith at rhizomatica.org] Sent: Thursday, October 6, 2016 10:14 AM To: tinc at tinc-vpn.org; kagbasi at centraltruck.net Subject: Re: Can't Route LAN Traffic Behind Tinc Network On 06/10/2016 15:48, Kismet Agbasi wrote:>> Did you remember to activate kernel ip forwarding? >> i.e. echo 1 > /proc/sys/net/ipv4/ip_forward ? > I actually forgot to do this, but I have enabled it now in /etc/systctl.conf and can confirm now after a reboot that it's enabled. Unfortunately, still can't ping the node on the LAN.OK , let's just do one other simple thing before we continue, could you post the output of iptables -vnL FORWARD as long as it doesn't reveal anything you would prefer not to be public. Thanks!
On 06/10/2016 16:33, Kismet Agbasi wrote:> Thanks Keith. Here's the output:OK. I'd like to say that I recognize this is now off topic for the tinc list, as it really is about basic routing and firewalls and has little if anything to do with tinc at this point. However, it's a low volume list, so unless anyone complains, lets thrash it out here.> wrong interface......hmmm. As you can tell I use UFW so here's the output of "ufw status numbered": > > root at ubuntu2:~# ufw status numbered > Status: activeI'm actually unfamiliar with ufw, as I am with most of the plethora of iptables-helpers out there. I could ask you to post a list of all tools and chain, (iptables -vnL) but can we just do something simple first as a test? Can you disable your ufw and then run iptables -F FORWARD (just to be sure) and then test your tinc<->LAN connectivity? your default FORWARD POLICY is ACCEPT so this quick check should let us know if the firewall rules are getting in the way. I guess you should quicky re-enable your ufw rules then, so as not to remain unprotected. You have a public IP on this box, I understand. K/
Thanks again Keith. I disabled UFW and flushed iptables completely, but same result. Pings from the external node are reaching the internal node on the tinc0 interface but nothing happens after that. Now that I'm thinking of it, I did some masquerading in order to get OpenVPN to work on another box, I wonder if that would be applicable here? Very Respectfully, Kismet Agbasi -----Original Message----- From: Keith [mailto:keith at rhizomatica.org] Sent: Thursday, October 6, 2016 10:47 AM To: kagbasi at centraltruck.net; tinc at tinc-vpn.org Subject: Re: Can't Route LAN Traffic Behind Tinc Network On 06/10/2016 16:33, Kismet Agbasi wrote:> Thanks Keith. Here's the output:OK. I'd like to say that I recognize this is now off topic for the tinc list, as it really is about basic routing and firewalls and has little if anything to do with tinc at this point. However, it's a low volume list, so unless anyone complains, lets thrash it out here.> wrong interface......hmmm. As you can tell I use UFW so here's the output of "ufw status numbered": > > root at ubuntu2:~# ufw status numbered > Status: activeI'm actually unfamiliar with ufw, as I am with most of the plethora of iptables-helpers out there. I could ask you to post a list of all tools and chain, (iptables -vnL) but can we just do something simple first as a test? Can you disable your ufw and then run iptables -F FORWARD (just to be sure) and then test your tinc<->LAN connectivity? your default FORWARD POLICY is ACCEPT so this quick check should let us know if the firewall rules are getting in the way. I guess you should quicky re-enable your ufw rules then, so as not to remain unprotected. You have a public IP on this box, I understand. K/