6 Apr
2017
6 Apr
'17
1:50 p.m.
Can you ping .254? .255 should go direct and .254
should be
encapsulated to the same machine.
No
Do you have an address I can test to? I have been
doing a few tests
and it would appear that there are some issues here.
44.137.0.1 should be fine, and 44.137.41.97 as well
Previously I was able to access services that were
public the same as
an external host, but now many of those are not working. As an example
44.137.0.1 works fine from an external IP address, but not a
44.131.14/24 one. I have found at least 1 host responding to my
encapsulated packets with ICMP Administratively Denied, which makes me
suspect that the problem is actually my anycast setup with my source
address not matching the gateway address.
It is. Now I see what is wrong, the firewall log is full of:
Apr 6 19:47:01 Packet REJECT: IN=eth0 OUT= SRC=45.63.97.98 DST=213.222.29.194 LEN=104
TOS=0x00 PREC=0x00 TTL=52 ID=19182 DF PROTO=4
That source address apparently belongs to you but it is not the tunnel endpoint.
We reject all protocol 4 traffic from hosts not in the RIP broadcast for tunnels.
Rob
2787
days inactive
2787
days old
0 comments
1 participants
participants (1)
-
Rob Janssen