Joey Kelly
2017-10-16 00:31:04 UTC
ed on kernel 2.4.30. I now have a full machine running Linux and kernel
4.9.41.
doing UDP NAT (or maybe you're not?).
--Joey
Joey Kelly
Minister of the Gospel and Linux Consultant
http://joeykelly.net
504-239-6550
_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
4.9.41.
On my network I have one machine running OpenVPN (separate machine from the router). It is behind the NAT. The
Any reason why OpenVPN isn't on the edge device? I wouldn't want to bedoing UDP NAT (or maybe you're not?).
--Joey
modem
|
v
[public static IP] eth0:router WAN
[10.0.0.1/16] eth1:router LAN
|
v
[10.0.0.200] eth0:openvpn
[10.100.0.1/24] tun0:openvpn tunnels/clients
route -add net 10.100.0.0/16 gw 10.0.0.200
Everything worked, all LAN clients were accessible from the OpenVPN clients (my phone for now using LTE network).
I duplicated the iptables configuration from the old router to the new one. I also added the static route as above.
Standard port forwarding is working and OpenVPN clients can tunnel in and connect to the OpenVPN server with no issues.
A VPN client can ping both IPs of the OpenVPN server (10.100.0.1 and 10.0.0.200).
A VPN client can ping the router's internal IP (10.0.0.1).
A VPN client can exit the network and browse the public Internet (expected, glad that part works).
A VPN client can NOT ping inbound to a LAN client but a LAN client CAN ping outbound to the OpenVPN client.
If a LAN client pings the VPN client first, then for a short period of time the VPN client can ping back that same LAN
client but it still can not ping other clients. (ARP table not filling? Broadcast problems?)
I can add a static route to some LAN clients (not all of them have this ability) and I can ping the LAN client from the
VPN client without having to ping or make contact from the LAN side first.
Obviously something is very different about the new kernel's routing table unlike the very simplistic one in BusyBox/2.4
but I really am not understanding what I've missed.
I can dump routing tables for you though I'm not well versed in the "ip" command and I know there are some various
hidden routing tables that could be interfering.
# ip route show
default via 108.95.189.246 dev eth0 onlink
10.0.0.0/16 dev eth1 proto kernel scope link src 10.0.0.1
10.100.0.0/24 via 10.0.0.200 dev eth1
108.95.189.240/29 dev eth0 proto kernel scope link src 108.95.189.245
# ip route show table all
default via 108.95.189.246 dev eth0 onlink
10.0.0.0/16 dev eth1 proto kernel scope link src 10.0.0.1
10.100.0.0/24 via 10.0.0.200 dev eth1
108.95.189.240/29 dev eth0 proto kernel scope link src 108.95.189.245
broadcast 10.0.0.0 dev eth1 table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev eth1 table local proto kernel scope host src 10.0.0.1
broadcast 10.0.255.255 dev eth1 table local proto kernel scope link src 10.0.0.1
broadcast 108.95.189.240 dev eth0 table local proto kernel scope link src 108.95.189.245
local 108.95.189.245 dev eth0 table local proto kernel scope host src 108.95.189.245
broadcast 108.95.189.247 dev eth0 table local proto kernel scope link src 108.95.189.245
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
All of this worked just fine with the old router but I really needed to update the router to something that would take
newer updates and handle data volumes better.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
--|
v
[public static IP] eth0:router WAN
[10.0.0.1/16] eth1:router LAN
|
v
[10.0.0.200] eth0:openvpn
[10.100.0.1/24] tun0:openvpn tunnels/clients
route -add net 10.100.0.0/16 gw 10.0.0.200
Everything worked, all LAN clients were accessible from the OpenVPN clients (my phone for now using LTE network).
I duplicated the iptables configuration from the old router to the new one. I also added the static route as above.
Standard port forwarding is working and OpenVPN clients can tunnel in and connect to the OpenVPN server with no issues.
A VPN client can ping both IPs of the OpenVPN server (10.100.0.1 and 10.0.0.200).
A VPN client can ping the router's internal IP (10.0.0.1).
A VPN client can exit the network and browse the public Internet (expected, glad that part works).
A VPN client can NOT ping inbound to a LAN client but a LAN client CAN ping outbound to the OpenVPN client.
If a LAN client pings the VPN client first, then for a short period of time the VPN client can ping back that same LAN
client but it still can not ping other clients. (ARP table not filling? Broadcast problems?)
I can add a static route to some LAN clients (not all of them have this ability) and I can ping the LAN client from the
VPN client without having to ping or make contact from the LAN side first.
Obviously something is very different about the new kernel's routing table unlike the very simplistic one in BusyBox/2.4
but I really am not understanding what I've missed.
I can dump routing tables for you though I'm not well versed in the "ip" command and I know there are some various
hidden routing tables that could be interfering.
# ip route show
default via 108.95.189.246 dev eth0 onlink
10.0.0.0/16 dev eth1 proto kernel scope link src 10.0.0.1
10.100.0.0/24 via 10.0.0.200 dev eth1
108.95.189.240/29 dev eth0 proto kernel scope link src 108.95.189.245
# ip route show table all
default via 108.95.189.246 dev eth0 onlink
10.0.0.0/16 dev eth1 proto kernel scope link src 10.0.0.1
10.100.0.0/24 via 10.0.0.200 dev eth1
108.95.189.240/29 dev eth0 proto kernel scope link src 108.95.189.245
broadcast 10.0.0.0 dev eth1 table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev eth1 table local proto kernel scope host src 10.0.0.1
broadcast 10.0.255.255 dev eth1 table local proto kernel scope link src 10.0.0.1
broadcast 108.95.189.240 dev eth0 table local proto kernel scope link src 108.95.189.245
local 108.95.189.245 dev eth0 table local proto kernel scope host src 108.95.189.245
broadcast 108.95.189.247 dev eth0 table local proto kernel scope link src 108.95.189.245
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
All of this worked just fine with the old router but I really needed to update the router to something that would take
newer updates and handle data volumes better.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Joey Kelly
Minister of the Gospel and Linux Consultant
http://joeykelly.net
504-239-6550
_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo