I have a Site-to-site tunnel via ipsec wich is working fine.
There is a local range of 10.1.60.0/24 and the tunnel connects to a remote range 10.1.10.0/23.
IF i run updown.sh vti64 up everything that is sent over the tunnel still works. Everything else breaks.
If i run a ping from the local client 10.1.60.221 to the a remote host 10.1.10.17 (wich is inside the nw range configured in the gui) and watch it with tcpdump everything works fine:
"
switch0 P IP0 (invalid)
switch0.2 P IP 10.1.60.221 > 10.1.10.17: ICMP echo request, id 1, seq 848, length 40
br2 In IP 10.1.60.221 > 10.1.10.17: ICMP echo request, id 1, seq 848, length 40
vti64 Out IP 10.1.60.221 > 10.1.10.17: ICMP echo request, id 1, seq 848, length 40
vti64 In IP 10.1.10.17 > 10.1.60.221: ICMP echo reply, id 1, seq 848, length 40
br2 Out IP 10.1.10.17 > 10.1.60.221: ICMP echo reply, id 1, seq 848, length 40
"
But if i ping something else like 9.9.9.9 suddenly the paket stops at "vti64 IN" but never shows up in the br2 interface.
"
switch0 P IP0 (invalid)
switch0.2 P IP 10.1.60.221 > 9.9.9.9: ICMP echo request, id 1, seq 851, length 40
br2 In IP 10.1.60.221 > 9.9.9.9: ICMP echo request, id 1, seq 851, length 40
vti64 Out IP 10.1.60.221 > 9.9.9.9: ICMP echo request, id 1, seq 851, length 40
vti64 In IP 9.9.9.9 > 10.1.60.221: ICMP echo reply, id 1, seq 851, length 40
"
For testing i added FW Rules to allow everthing.
the config file uses FORCED_SOURCE_INTERFACE= br2, BYPASS_MASQUERADE_IPV4="ALL" VPN_PROVIDER="nexthop", MSS_CLAMPING_IPV4="1382", DEV=vti64, VPN_ENDPOINT_IPV4="10.1.10.254". Everything else is like the default values.
Ip rule output looks like:
0: from all lookup local
99: from all fwmark 0x169 lookup 101
220: from all lookup 220
32000: from all lookup main
32500: from to lookup 201.eth8
32501: from all fwmark 0x1a0000/0x7e0000 lookup 201.eth8
32503: from lookup 201.eth8
32765: from all fwmark 0x10000/0x10000 lookup 251.blackhole
32766: from all lookup 201.eth8
32767: from all lookup default
The important stuff from IP r list tables all:
0.0.0.0/1 via 10.1.10.254 dev vti64 table 101
blackhole default table 101
128.0.0.0/1 via 10.1.10.254 dev vti64 table 101
default via dev eth8 table 201.eth8 proto dhcp
blackhole default table 251.blackhole proto PBR
10.1.10.0/23 dev vti64 proto static scope link metric 30
10.1.60.0/24 dev br2 proto kernel scope link src 10.1.60.254
dev eth8 proto kernel scope link src
I can't figure out, why packages that come in from the tunnel wont show up in br2.
Can someone help me find the bug?
I have a Site-to-site tunnel via ipsec wich is working fine.
There is a local range of 10.1.60.0/24 and the tunnel connects to a remote range 10.1.10.0/23.
IF i run updown.sh vti64 up everything that is sent over the tunnel still works. Everything else breaks.
If i run a ping from the local client 10.1.60.221 to the a remote host 10.1.10.17 (wich is inside the nw range configured in the gui) and watch it with tcpdump everything works fine:
"
switch0 P IP0 (invalid)
switch0.2 P IP 10.1.60.221 > 10.1.10.17: ICMP echo request, id 1, seq 848, length 40
br2 In IP 10.1.60.221 > 10.1.10.17: ICMP echo request, id 1, seq 848, length 40
vti64 Out IP 10.1.60.221 > 10.1.10.17: ICMP echo request, id 1, seq 848, length 40
vti64 In IP 10.1.10.17 > 10.1.60.221: ICMP echo reply, id 1, seq 848, length 40
br2 Out IP 10.1.10.17 > 10.1.60.221: ICMP echo reply, id 1, seq 848, length 40
"
But if i ping something else like 9.9.9.9 suddenly the paket stops at "vti64 IN" but never shows up in the br2 interface.
"
switch0 P IP0 (invalid)
switch0.2 P IP 10.1.60.221 > 9.9.9.9: ICMP echo request, id 1, seq 851, length 40
br2 In IP 10.1.60.221 > 9.9.9.9: ICMP echo request, id 1, seq 851, length 40
vti64 Out IP 10.1.60.221 > 9.9.9.9: ICMP echo request, id 1, seq 851, length 40
vti64 In IP 9.9.9.9 > 10.1.60.221: ICMP echo reply, id 1, seq 851, length 40
"
For testing i added FW Rules to allow everthing.
the config file uses FORCED_SOURCE_INTERFACE= br2, BYPASS_MASQUERADE_IPV4="ALL" VPN_PROVIDER="nexthop", MSS_CLAMPING_IPV4="1382", DEV=vti64, VPN_ENDPOINT_IPV4="10.1.10.254". Everything else is like the default values.
Ip rule output looks like:
0: from all lookup local
99: from all fwmark 0x169 lookup 101
220: from all lookup 220
32000: from all lookup main
32500: from to lookup 201.eth8
32501: from all fwmark 0x1a0000/0x7e0000 lookup 201.eth8
32503: from lookup 201.eth8
32765: from all fwmark 0x10000/0x10000 lookup 251.blackhole
32766: from all lookup 201.eth8
32767: from all lookup default
The important stuff from IP r list tables all:
0.0.0.0/1 via 10.1.10.254 dev vti64 table 101
blackhole default table 101
128.0.0.0/1 via 10.1.10.254 dev vti64 table 101
default via dev eth8 table 201.eth8 proto dhcp
blackhole default table 251.blackhole proto PBR
10.1.10.0/23 dev vti64 proto static scope link metric 30
10.1.60.0/24 dev br2 proto kernel scope link src 10.1.60.254
dev eth8 proto kernel scope link src
I can't figure out, why packages that come in from the tunnel wont show up in br2.
Can someone help me find the bug?