Can't ping 2nd router from Asus Ping Tool

[blitzkrieg]

Hi all

I've an RT-AC66U_B1 running Merlin's 380.67.
OpenVPN setup as follows:
TUN. Push LAN to clients. Direct clients to redirect Internet traffic. Respond to DNS. Advertise DNS to clients.

A DLink router is connected to the Asus through each other's LAN port and in the same 192.168.4.0/25 subnet. So it is essentially a switch.

I can connect to OpenVPN successfully and able to access a NAS server no problem. But I can't ping nor access the DLink router 192.168.4.2 while in OpenVPN. However, I can ping the PCs, Asus router and Android devices.

Any additional routing/iptables need to be added?

Here's the untouched iptables:

/root# iptables -L                                        
Chain INPUT (policy ACCEPT)                                                      
target     prot opt source               destination                              
ACCEPT     all  --  anywhere             anywhere                                
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1194        
DROP       icmp --  anywhere             anywhere             icmp echo-request  
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED                                                                            
DROP       all  --  anywhere             anywhere             state INVALID      
PTCSRVWAN  all  --  anywhere             anywhere                                
PTCSRVLAN  all  --  anywhere             anywhere                                
ACCEPT     all  --  anywhere             anywhere             state NEW          
ACCEPT     all  --  anywhere             anywhere             state NEW          
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc                                                                            
INPUT_ICMP  icmp --  anywhere             anywhere                                
DROP       all  --  anywhere             anywhere                                
                                                                                 
Chain FORWARD (policy DROP)                                                      
target     prot opt source               destination                              
ipttolan   all  --  anywhere             anywhere                                
iptfromlan  all  --  anywhere             anywhere                                
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED                                                                            
ACCEPT     all  --  anywhere             anywhere                                
DROP       all  --  anywhere             anywhere                                
DROP       all  --  anywhere             anywhere             state INVALID      
ACCEPT     all  --  anywhere             anywhere                                
SECURITY   all  --  anywhere             anywhere                                
NSFW       all  --  anywhere             anywhere                                
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT        
ACCEPT     all  --  anywhere             anywhere                                
                                                                                 
Chain OUTPUT (policy ACCEPT)                                                      
target     prot opt source               destination                              
                                                                                 
Chain ACCESS_RESTRICTION (0 references)                                          
target     prot opt source               destination                              
                                                                                 
Chain FUPNP (0 references)                                                        
target     prot opt source               destination                              
                                                                                 
Chain INPUT_ICMP (1 references)                                                  
target     prot opt source               destination                              
RETURN     icmp --  anywhere             anywhere             icmp echo-request  
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request                                                                                
ACCEPT     icmp --  anywhere             anywhere                                
                                                                                 
Chain NSFW (1 references)                                                        
target     prot opt source               destination                              
                                                                                 
Chain PControls (0 references)                                                    
target     prot opt source               destination                              
ACCEPT     all  --  anywhere             anywhere                                
                                                                                 
Chain PTCSRVLAN (1 references)                                                    
target     prot opt source               destination                              
                                                                                 
Chain PTCSRVWAN (1 references)                                                    
target     prot opt source               destination                              
                                                                                 
Chain SECURITY (1 references)                                                    
target     prot opt source               destination                              
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5                                                
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN                                                                        
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5                                                
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST                                                                        
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5                                                            
DROP       icmp --  anywhere             anywhere             icmp echo-request  
RETURN     all  --  anywhere             anywhere                                
                                                                                 
Chain iptfromlan (1 references)                                                  
target     prot opt source               destination                              
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.4.0/255.255.255.128 name: lan                                        
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.4.0/255.255.255.128 name: lan                                        
                                                                                 
Chain ipttolan (1 references)                                                    
target     prot opt source               destination                              
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.4.0/255.255.255.128 name: lan                                        
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.4.0/255.255.255.128 name: lan                                        
                                                                                 
Chain logaccept (0 references)                                                    
target     prot opt source               destination                              
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "                      
ACCEPT     all  --  anywhere             anywhere                                
                                                                                 
Chain logdrop (0 references)                                                      
target     prot opt source               destination                              
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "                        
DROP       all  --  anywhere             anywhere

Here's the netstat routing table:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
44.125.x.1      0.0.0.0         255.255.255.255 UH        0 0          0 eth0
192.168.4.0     0.0.0.0         255.255.255.128 U         0 0          0 br0
10.8.0.0        0.0.0.0         255.255.255.128 U         0 0          0 tun21
44.125.x.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         44.125.x.1      0.0.0.0         UG        0 0          0 eth0

Simple network view:
OpenVPN setting:

 

[ColinTaylor]

This would appear to be an issue with the D-Link. Can you access the D-Link when directly connected to the LAN rather than through the VPN?

 

[blitzkrieg]

This would appear to be an issue with the D-Link. Can you access the D-Link when directly connected to the LAN rather than through the VPN?

Yup the DLink can be ping/accessed normally when directly in LAN, but not through VPN. Quite strange that pinging other devices through VPN is OK, just can't access the webUI of the DLink.

 

[ColinTaylor]

Sorry to ask such a basic question but I don't use OpenVPN. When your VPN client connects to say the NAS, what IP address does it have? Is it a 192.168.4.x address, a 10.8.0.x or something else. I can imagine that the D-Link might not like clients that don't come from 192.168.4.x.

 

[blitzkrieg]

Sorry to ask such a basic question but I don't use OpenVPN. When your VPN client connects to say the NAS, what IP address does it have? Is it a 192.168.4.x address, a 10.8.0.x or something else. I can imagine that the D-Link might not like clients that don't come from 192.168.4.x.

VPN clients will have 10.8.0.x address. Just can't pin point which iptables or routing table to allow it to connect to the DLink.

 

[ColinTaylor]

There won't be any additional routing required on the Asus (because the traffic is already on the LAN, it doesn't need routing). The problem is probably the iptables rules or routing on the D-Link which is blocking any non-192.168.4.x traffic.

Edit: Thinking a bit more about this... it's probably the routing on the D-Link. The traffic will be getting to the D-Link but when it tries to send a reply it doesn't know where the 10.8.0.x network is, so it sends it out the default route, which is the WAN interface.

 

[blitzkrieg]

There won't be any additional routing required on the Asus (because the traffic is already on the LAN, it doesn't need routing). The problem is probably the iptables rules or routing on the D-Link which is blocking any non-192.168.4.x traffic.

Edit: Thinking a bit more about this... it's probably the routing on the D-Link. The traffic will be getting to the D-Link but when it tries to send a reply it doesn't know where the 10.8.0.x network is, so it sends it out the default route, which is the WAN interface.

Ahh, ok make sense.. the DLink is an 850L, so it's abit handicapped. Anyway, Asus and DLink is connected to the LAN ports, not WAN port, will try to figure out how's the routing gonna be.

 

[ColinTaylor]

According to the D-Link manual there is a "Routing" page that looks like you can setup a static route back to the Asus for the 10.8.0.x network. Hopefully the "Interface" can be set to something other than "WAN".

 

[blitzkrieg]

Looks like a dead end to me. There's no 'LAN' option in the Static Route page of the DLink 850L, nor editing the webUI HTML to 'LAN'.
HOwever, if I connect to another OpenVPN server(TUN/NAS) connected to the DLink, I'm able to ping/access the DLink router.
Hmm, any additional settings in the Asus router OpenVPN?

 

[ColinTaylor]

Sorry I'm out of ideas, but then I don't know much about OpenVPN.

 

[blitzkrieg]

Sorry I'm out of ideas, but then I don't know much about OpenVPN.

No worries.
Anyway, I've narrowed down the culprit; apparently can't ping the DLink router within the Asus Ping Tool! Even through PuTTY SSH fails.
Soo its not OpenVPN's fault. Somehow the routing table is incomplete? From what I can see, the 192.168.4.0/25 subnet is listed. Anybody any ideas?

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
44.125.x.1      *               255.255.255.255 UH        0 0          0 eth0
192.168.4.0     *               255.255.255.128 U         0 0          0 br0
10.8.0.0        *               255.255.255.0   U         0 0          0 tun21
44.125.x.0      *               255.255.255.0   U         0 0          0 eth0
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
default         44.125.x.1      0.0.0.0         UG        0 0          0 eth0