Ping working but no SSH over static route

[D3LTA9]

Not sure if this is the right place for this so please move/forgive me if it is not.

I have recently built an OpenStack private cloud stack which is running on my home network using what is essentially a combination of physical and logical networking components.

The main router I am using is an Asus RT-AC66U using the standard Asus firmware. This is the default gateway for the 192.168.1.0/24 network which everything is running on apart from instances created via my private cloud. All testing is generally being done via Ethernet and not WiFi.

I also have a virtual VYOS router that I have created on top of my ESXi 6 hypervisor. This has 2 NIC's, eth0 is set to 192.168.2.1. and eth1 to 192.168.1.40.

I have created a static route on the Asus router so all 192.168.2.0 traffic is routed to 192.168.1.40 which can then route to any devices on the 192.168.2.0 network.

This allows me to ping from any device on the 192.168.1.0 to any device on the 192.168.2.0 network and vice versa. Everything seemed to be connectable, both inside and outside and functioning correctly.

However, SSH traffic on port 22 does not seem to be routing correctly. If I manually set a static IP for a device to the anything on the 192.168.2.0 network I can SSH back to devices on the 192.168.1.0 network (and of course devices that are also on the 192.168.2.0 network). Packets only seem to not arrive when attempting to establish an SSH connection from a device on 192.168.1.0 to a device on 192.168.2.0.

I have tried setting a static route on the VYOS router and also using RIP but these make no difference, as expected, as the VYOS router is directly connected to both networks so shouldn't need these protocols enabled as far as I aware.

Trace route shows packets going from device at 192.168.1.55
1 - 192.168.1.1
2 - 192.168.1.40
3 - 192.168.2.20

Wireshark seems to just show that port 22 traffic simply is not reaching its destination and retransmissions are occurring. However, I will be the first to admit that I am not particularly knowledgeable when it comes to using Wireshark.

All devices have SSH servers/putty configured and working so it is not client based issue.

I just cant understand if ICMP/ping traffic is routing correctly, how SSH traffic wouldn't. Other than a security group or firewall blocking it which I dont think it is unless there is something deep in the Asus firmware that I cant see.

I am currently at a loss and would appreciate any input.

 

[sfx2000]

Somewhere inside your IPTables you'll need to set a forward policy for that route.

 

[D3LTA9]

Somewhere inside your IPTables you'll need to set a forward policy for that route.

Thank you for the reply.

If I go to my routing tables there is this line:

Destination Gateway Genmask Flags Metric Ref Use Type Iface
.....
192.168.2.0 192.168.1.40 255.255.255.0 UG 1 0 0 LAN br0

Is that what you mean?

 

[sfx2000]

If this helps... I've got Docker and KVM running, along with an OpenVPN server end-point...

$ ip route
default via 192.168.1.1 dev eth0  proto static  metric 100 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1 
169.254.0.0/16 dev tun0  scope link  metric 1000 
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.20  metric 100 
192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1 linkdown

But if you're running any kind of firewall - iptables by hand, or UFW, you need to build that policy to FORWARD across... if you don't, it won't..

This is documented in openstack and docker, and the KVM touches on it briefly... easy step to miss.

 

[sfx2000]

If you notice - the docker and kvm links at the moment are in linkdown state, that's because I'm doing something else with the box at the moment...