The strange thing is that ping works ok when TCP doesn't connect. My first suspicion would be a stateful firewall, but I'm sure you checked that. Could it be a TTL problem? I'm just guessing here.
The TTL of the inside IP packet is 63. I first traced on the external interface and saw the encapsulated packet, then I traced on the tunl0 interface and saw the decapsulated packet (same without the outer IP header), and it all looks OK. I see the SYN going out,the SYN ACK coming in, but nothing more (ACK should go out). The firewall is stateful but I added an explicit accept for -s 44.0.0.1 at the top of all the rules to make sure it is not that. Also, I reset the firewall and watched the counters, did not see any packets being dropped.
And indeed, ping works OK. It is strange. Maybe something is wrong due to the gateway external address change, although I would not know what could produce the above scenario. The system is up for about a year, maybe I should try rebooting it. (usually this brings nothing when I try it... it isn't Windows :-)
Of course sometime it will become clear how this can be explained.
Rob
Rob,
Try turning off RPF (return path filtering at the kernel level) if it goes out on one interface and comes in the other, then RPF is almost always at fault as it will by default drop the connection
Ruben - ON3RVH
On 13 Jul 2017, at 20:27, Rob Janssen pe1chl@amsat.org wrote:
The strange thing is that ping works ok when TCP doesn't connect. My first suspicion would be a stateful firewall, but I'm sure you checked that. Could it be a TTL problem? I'm just guessing here.
The TTL of the inside IP packet is 63. I first traced on the external interface and saw the encapsulated packet, then I traced on the tunl0 interface and saw the decapsulated packet (same without the outer IP header), and it all looks OK. I see the SYN going out,the SYN ACK coming in, but nothing more (ACK should go out). The firewall is stateful but I added an explicit accept for -s 44.0.0.1 at the top of all the rules to make sure it is not that. Also, I reset the firewall and watched the counters, did not see any packets being dropped.
And indeed, ping works OK. It is strange. Maybe something is wrong due to the gateway external address change, although I would not know what could produce the above scenario. The system is up for about a year, maybe I should try rebooting it. (usually this brings nothing when I try it... it isn't Windows :-)
Of course sometime it will become clear how this can be explained.
Rob
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
-
Rob Janssen -
Ruben ON3RVH