Yesterday we replaced a Linksys WRT54GL running DD-WRT v24 sp2 with an Asus RT-AC66U running Asuswrt-Merlin 3.0.0.4.354.29 Beta 1. The transition went fairly smoothly--with one important exception.
We run an OpenVPN server inside our network, in "routing" (i.e., not "bridged") mode. The problem, in a nutshell, is this: the VPN clients can ping the VPN server and *some* of the server's peers/clients, but not all. After much poking around we believe the problem is that static routes work differently in Asuswrt-Merlin than they did in DD-WRT.
Here's the "not a nutshell" version. The internal network runs on 192.168.10.x; the VPN network runs on 10.8.0.x. There's a static route defined on the router that directs 10 traffic to the VPN server on the 192 network. If someone inside the 192 network pings someone in the 10 network things work as expected: packets are sent to the router, which sends them to the VPN server, which sends them to the client. But if someone in the 10 network pings someone on the 192 network it's hit or miss. After much poking around we narrowed it down to this: if the someone they ping happens to have a local static route for 10 they (the client on 10) get a reply; if not, the packet appears to go to the router (i.e., the internal gateway), where it's either dropped or forwarded on to the external gateway. To put that a slightly different way: requests from 192 to 10 and replies from 10 to 192 seem to work, and requests from 10 to 192 seem to work, but replies from 192 to 10 don't. (Via the router, that is.)
Ultimately we believe the problem is in the iptables rules. Are we absolutely positive? Not yet. But while we continue to gnaw away at the problem we thought we'd bring our thinking here to people who know more about these things than we do.
There's quite a bit of stuff we can supply in terms of logs, dumps, etc. but given our current theory we'll start with just two simple things: the routing table and the iptables rules from the router. Please let us know if you spot anything odd...
(Just to be clear: we haven't tweaked "under the hood" in either case. We're just providing an "under the hood" dump of the configuration.)
Thanks!
===
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
99.99.99.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.8.0.0 192.168.10.10 255.255.255.0 UG 0 0 0 br0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
99.99.99.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 99.99.99.1 0.0.0.0 UG 0 0 0 eth0
===
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT gre -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
all -- anywhere anywhere account: network/netmask: 192.168.10.0/255.255.255.0 name: lan
all -- anywhere anywhere account: network/netmask: 192.168.10.0/255.255.255.0 name: lan
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain FUPNP (0 references)
target prot opt source destination
Chain PControls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP'
DROP all -- anywhere anywhere
We run an OpenVPN server inside our network, in "routing" (i.e., not "bridged") mode. The problem, in a nutshell, is this: the VPN clients can ping the VPN server and *some* of the server's peers/clients, but not all. After much poking around we believe the problem is that static routes work differently in Asuswrt-Merlin than they did in DD-WRT.
Here's the "not a nutshell" version. The internal network runs on 192.168.10.x; the VPN network runs on 10.8.0.x. There's a static route defined on the router that directs 10 traffic to the VPN server on the 192 network. If someone inside the 192 network pings someone in the 10 network things work as expected: packets are sent to the router, which sends them to the VPN server, which sends them to the client. But if someone in the 10 network pings someone on the 192 network it's hit or miss. After much poking around we narrowed it down to this: if the someone they ping happens to have a local static route for 10 they (the client on 10) get a reply; if not, the packet appears to go to the router (i.e., the internal gateway), where it's either dropped or forwarded on to the external gateway. To put that a slightly different way: requests from 192 to 10 and replies from 10 to 192 seem to work, and requests from 10 to 192 seem to work, but replies from 192 to 10 don't. (Via the router, that is.)
Ultimately we believe the problem is in the iptables rules. Are we absolutely positive? Not yet. But while we continue to gnaw away at the problem we thought we'd bring our thinking here to people who know more about these things than we do.
There's quite a bit of stuff we can supply in terms of logs, dumps, etc. but given our current theory we'll start with just two simple things: the routing table and the iptables rules from the router. Please let us know if you spot anything odd...
(Just to be clear: we haven't tweaked "under the hood" in either case. We're just providing an "under the hood" dump of the configuration.)
Thanks!
===
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
99.99.99.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.8.0.0 192.168.10.10 255.255.255.0 UG 0 0 0 br0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
99.99.99.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 99.99.99.1 0.0.0.0 UG 0 0 0 eth0
===
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT gre -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
all -- anywhere anywhere account: network/netmask: 192.168.10.0/255.255.255.0 name: lan
all -- anywhere anywhere account: network/netmask: 192.168.10.0/255.255.255.0 name: lan
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain FUPNP (0 references)
target prot opt source destination
Chain PControls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP'
DROP all -- anywhere anywhere
