<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">ip_forward was not enabled, now it is. Still same result:<div>On VPN_office I use 'tcpdump -npi any icmp and host 192.168.1.1' and ping 192.168.1.1 from the client:<br></div><div><div>5:28:42.646203 IP 172.16.0.3 > <a href="http://192.168.1.1">192.168.1.1</a>: ICMP echo request, id 1584, seq 1, length 64</div><div>15:28:43.663014 IP 172.16.0.3 > <a href="http://192.168.1.1">192.168.1.1</a>: ICMP echo request, id 1584, seq 2, length 64</div><div>15:28:44.688133 IP 172.16.0.3 > <a href="http://192.168.1.1">192.168.1.1</a>: ICMP echo request, id 1584, seq 3, length 64</div><div>15:28:45.714886 IP 172.16.0.3 > <a href="http://192.168.1.1">192.168.1.1</a>: ICMP echo request, id 1584, seq 4, length 64</div><div>15:28:46.738332 IP 172.16.0.3 > <a href="http://192.168.1.1">192.168.1.1</a>: ICMP echo request, id 1584, seq 5, length 64</div><div>15:28:47.756378 IP 172.16.0.3 > <a href="http://192.168.1.1">192.168.1.1</a>: ICMP echo request, id 1584, seq 6, length 64</div></div><div><br></div><div>'iptables -L -vn' yields:</div><div><br></div><div><div>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)</div><div> pkts bytes target prot opt in out source destination </div><div> 799 156K ACCEPT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate RELATED,ESTABLISHED</div><div> 0 0 ACCEPT all -- lo * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 22 1592 INPUT_direct all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 22 1592 INPUT_ZONES_SOURCE all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 22 1592 INPUT_ZONES all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 2 224 DROP all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate INVALID</div><div> 17 1140 REJECT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-host-prohibited</div><div><br></div><div>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)</div><div> pkts bytes target prot opt in out source destination </div><div> 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate RELATED,ESTABLISHED</div><div> 0 0 ACCEPT all -- lo * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 FORWARD_direct all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 FORWARD_IN_ZONES_SOURCE all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 FORWARD_IN_ZONES all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 FORWARD_OUT_ZONES all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 DROP all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate INVALID</div><div> 0 0 REJECT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-host-prohibited</div><div> 0 0 ACCEPT all -- VPN_Main * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><br></div><div>Chain OUTPUT (policy ACCEPT 896 packets, 195K bytes)</div><div> pkts bytes target prot opt in out source destination </div><div> 898 195K OUTPUT_direct all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><br></div><div>Chain FORWARD_IN_ZONES (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div> 0 0 FWDI_public all -- p8p1 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> [goto] </div><div> 0 0 FWDI_public all -- + * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> [goto] </div><div><br></div><div>Chain FORWARD_IN_ZONES_SOURCE (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain FORWARD_OUT_ZONES (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div> 0 0 FWDO_public all -- * p8p1 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> [goto] </div><div> 0 0 FWDO_public all -- * + <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> [goto] </div><div><br></div><div>Chain FORWARD_OUT_ZONES_SOURCE (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain FORWARD_direct (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain FWDI_public (2 references)</div><div> pkts bytes target prot opt in out source destination </div><div> 0 0 FWDI_public_log all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 FWDI_public_deny all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 FWDI_public_allow all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><br></div><div>Chain FWDI_public_allow (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain FWDI_public_deny (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain FWDI_public_log (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain FWDO_public (2 references)</div><div> pkts bytes target prot opt in out source destination </div><div> 0 0 FWDO_public_log all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 FWDO_public_deny all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 0 0 FWDO_public_allow all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><br></div><div>Chain FWDO_public_allow (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain FWDO_public_deny (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain FWDO_public_log (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain INPUT_ZONES (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div> 17 1140 IN_public all -- p8p1 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> [goto] </div><div> 5 452 IN_public all -- + * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> [goto] </div><div><br></div><div>Chain INPUT_ZONES_SOURCE (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain INPUT_direct (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain IN_public (2 references)</div><div> pkts bytes target prot opt in out source destination </div><div> 22 1592 IN_public_log all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 22 1592 IN_public_deny all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 22 1592 IN_public_allow all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div> 2 168 ACCEPT icmp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div><br></div><div>Chain IN_public_allow (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div> 1 60 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:22 ctstate NEW</div><div><br></div><div>Chain IN_public_deny (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain IN_public_log (1 references)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain OUTPUT_direct (1 references)</div><div> pkts bytes target prot opt in out source destination </div></div><div><br></div><div><br></div><div><br></div><div><br></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">Le mar. 15 janv. 2019 à 13:49, Lars Kruse <<a href="mailto:lists@sumpfralle.de">lists@sumpfralle.de</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello Julien,<br>
<br>
<br>
Am Tue, 15 Jan 2019 09:30:23 +0100<br>
schrieb Julien dupont <<a href="mailto:marcelvierzon@gmail.com" target="_blank">marcelvierzon@gmail.com</a>>:<br>
<br>
> In that case I see:<br>
> IP 172.16.0.3 > <a href="http://192.168.1.1" rel="noreferrer" target="_blank">192.168.1.1</a>: ICMP echo request, id2135, seq1, length 64<br>
> IP 172.16.0.3 > <a href="http://192.168.1.1" rel="noreferrer" target="_blank">192.168.1.1</a>: ICMP echo request, id2135, seq2, length 64<br>
> IP 172.16.0.3 > <a href="http://192.168.1.1" rel="noreferrer" target="_blank">192.168.1.1</a>: ICMP echo request, id2135, seq3, length 64<br>
> <br>
> Packet goes through but no PONG back if I understand correctly. That's<br>
> probably where it goes wrong.<br>
<br>
Yes, the final response is missing.<br>
But the above output also lacks the forwarded packets (into your<br>
<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> subnet).<br>
Thus I could imagine, that at least one of the following items is true:<br>
* "ip_forward" (/proc/sys/net/ipv4/ip_forward) is not enabled on 192.168.1.3<br>
* firewall rules do not allow such packets to be forwarded (see the output of<br>
"iptables -L -vn") on 192.168.1.3<br>
<br>
<br>
> On VPN_office 'tcdump -npi any icmp', on 192.168.1.100 'ping 172.16.0.3':<br>
> 192.168.1.100 > <a href="http://172.16.0.3" rel="noreferrer" target="_blank">172.16.0.3</a>: ICMP echo request, id 11452, seq1, length 64<br>
> 192.168.1.100 > <a href="http://172.16.0.3" rel="noreferrer" target="_blank">172.16.0.3</a>: ICMP echo request, id 11452, seq2, length 64<br>
> 192.168.1.100 > <a href="http://172.16.0.3" rel="noreferrer" target="_blank">172.16.0.3</a>: ICMP echo request, id 11452, seq3, length 64<br>
> ...<br>
<br>
This indicates, that your packets are leaving the host.<br>
The next steps would be to check at which point they (or their response) get<br>
lost.<br>
<br>
<br>
Cheers,<br>
Lars<br>
_______________________________________________<br>
tinc mailing list<br>
<a href="mailto:tinc@tinc-vpn.org" target="_blank">tinc@tinc-vpn.org</a><br>
<a href="https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc" rel="noreferrer" target="_blank">https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc</a><br>
</blockquote></div>