Turns out I needed to masquerade the traffic coming into that INSIDE node. Since I use UFW to manage IPtables, adding this to my /etc/ufw/before.rules and restarting UFW fixed it for me:
" -A POSTROUTING -s 10.9.0.0/24 -o eth1 -j MASQUERADE" Very Respectfully, Kismet-Gerald Agbasi IT/Systems Administrator Central Truck Center, Inc. Office: 240-487-3315 Toll Free: 1-800-492-0709 Fax: 240-487-3399 3839 Ironwood Place Landover, MD 20785 www.centraltruckcenter.com This message may contain confidential and/or proprietary information, and is intended for the person or entity to which it is addressed. Any use by others for all other purposes is strictly prohibited. _________________________________________________________________________________________________________ 3839 Ironwood Place | Landover, MD | 20785 -----Original Message----- From: Kismet Agbasi [mailto:[email protected]] Sent: Thursday, October 6, 2016 12:17 PM To: 'Keith' <[email protected]>; '[email protected]' <[email protected]> Subject: RE: Can't Route LAN Traffic Behind Tinc Network Oh yes - so ubuntu2 is the linux host running tinc on my LAN (the one I'm referring to as INSIDE node). I can ping it from my Windows machine and vice versa without any trouble. I can also ping all other devices on my LAN from ubuntu2 and vice versa, also without any issues. Output of "tcpdump -I eth1 icmp" confirms that packets are reaching the box and going out on the correct interface. 10.9.0.4 is the tinc IP address of EXTERNAL node. root@ubuntu2:~# tcpdump -i eth1 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 12:12:44.625280 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 1, length 64 12:12:45.630867 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 2, length 64 12:12:46.638898 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 3, length 64 12:12:47.646764 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 4, length 64 12:12:48.654765 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 5, length 64 12:12:49.662973 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 6, length 64 12:12:50.670642 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 7, length 64 12:12:51.678942 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 8, length 64 12:12:52.686627 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 9, length 64 12:12:53.694864 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 10, length 64 12:12:54.702841 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 11, length 64 12:12:55.710574 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 12, length 64 12:12:56.718886 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 13, length 64 12:12:57.726749 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 14, length 64 12:12:58.734801 IP 10.9.0.4 > 172.23.6.1: ICMP echo request, id 16606, seq 15, length 64 ^C 15 packets captured 16 packets received by filter 0 packets dropped by kernel -----Original Message----- From: Keith [mailto:[email protected]] Sent: Thursday, October 6, 2016 11:27 AM To: [email protected]; [email protected] Subject: Re: Can't Route LAN Traffic Behind Tinc Network On 06/10/2016 17:16, Kismet Agbasi wrote: > Thanks again Keith. I disabled UFW and flushed iptables completely, but same > result. Pings from the external node are reaching the internal node on the > tinc0 interface but nothing happens after that. Now that I'm thinking of it, > I did some masquerading in order to get OpenVPN to work on another box, I > wonder if that would be applicable here? Weird. I dunno. something is missing from the picture. You could check if the pings to 172.23.6.x are going out on the eth1 interface with tcpdump -i eth1 icmp You are trying to ping this internal windows box via tinc, right? (the one from where you posted a ping to 172.23.6.149?) Does it have windows firewall enabled? Sometimes windows firewall blocks incoming pings. can you ping it from the machine called ubuntu2? k/ _______________________________________________ tinc mailing list [email protected] https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
