Posted: Thu May 25, 2017 17:27 Post subject: SOLVED Clients on network bridge unreachable
My DD-WRT router is set up with a "PPPoE Dual" connection. Meaning it sits on the LAN of the ISP's router but it also gets its own PPP connection to the internet.
The DD-WRT router is on 192.168.10.0/24 (br0) with a second bridge (VAP) on 192.168.9.0/24 (br1). The ISP router is on 192.168.5.0/24 (vlan).
Finally it runs an openvpn server 10.7.0.0/24 (tun0) and openvpn client 10.8.0.0/24 (tun1). All traffic on 192.168.10.0/24 is set up to route to internet over tun1. All traffic on 192.168.9.0/24 routes to internet over ppp0. This is accomplished by use of rule-based routing and is summarized below.
I want all the internal networks to interconnect seamlessly. That means 10.7.0.*, 192.168.10.*, 192.168.9.*. However, there are two problems:
1) Clients on 192.168.10.0/24 (br0) cannot ping clients on .9.0/24 for some reason.
2) Similarly, clients on the VPN (10.7.0.0/24 tun0) cannot ping .9.0/24 (br1). (They can ping the router at 192.168.9.1, and openvpn does: push "route 192.168.9.0 255.255.255.0")
In both cases, they can reach other clients on other networks, and they can reach the router. If I ssh into the router, it can of course ping clients on .9.0/24. The problem remains even when disabling and flushing iptables.
I'm at a loss as to what's going on here. As shown below, routes should be set up for these.
Any insights? I'm sure I'm missing something, but at this point I have no idea what!
Code:
root@DD-WRT:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default XXX.XXX.XXX.XXX 0.0.0.0 UG 0 0 0 ppp0
10.7.0.0 * 255.255.255.0 U 0 0 0 tun0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun1
XXX.XXX.XXX.XXX * 255.255.255.255 UH 0 0 0 ppp0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
XXX.XXX.0.0 * 255.255.0.0 U 0 0 0 br0
192.168.5.0 * 255.255.255.0 U 0 0 0 vlan2
192.168.9.0 * 255.255.255.0 U 0 0 0 br1
192.168.10.0 * 255.255.255.0 U 0 0 0 br0
root@DD-WRT:~# ip rule
0: from all lookup local
2000: from 192.168.10.0/24 lookup 200
2001: from 192.168.10.0/24 lookup 201
32766: from all lookup main
32767: from all lookup default
root@DD-WRT:~# ip route list table 200
default via 10.8.0.4 dev tun1
10.7.0.0/24 dev tun0 scope link
192.168.5.0/24 dev vlan2 scope link
192.168.9.0/24 dev br1 scope link
192.168.10.0/24 dev br0 scope link
192.168.12.0/24 via 192.168.5.3 dev vlan2
root@DD-WRT:~# ip route list table 201
unreachable default
root@DD-WRT:~# ip route list table main
default via XXX.XXX.XXX.XXX dev ppp0
10.7.0.0/24 dev tun0 proto kernel scope link src 10.7.0.1
10.8.0.0/24 dev tun1 proto kernel scope link src 10.8.0.4
XXX.XXX.XXX.XXX dev ppp0 proto kernel scope link src YYY.YYY.YYY.YYY
127.0.0.0/8 dev lo scope link
XXX.XXX.0.0/16 dev br0 proto kernel scope link src XXX.XXX.255.1
192.168.5.0/24 dev vlan2 proto kernel scope link src 192.168.5.2
192.168.9.0/24 dev br1 proto kernel scope link src 192.168.9.1
192.168.10.0/24 dev br0 proto kernel scope link src 192.168.10.1
Last edited by jtbr on Thu May 25, 2017 20:44; edited 1 time in total
The clients I tried on the .9.0/24 network were both Windows machines and it turns out the windows firewall was blocking connections from other subnets!
I added a rule to the firewall to allow the other subnets and now it's working.