Router not routing

Message

brundage · Post by **brundage** » Tue Jun 24, 2025 6:34 pm

I'm setting up a router following the Home router guide. It will be between my home network and an internal ip camera network so NAT is not necessary. Packets aren't traversing the router and I'm stumped.

Code: Select all

0 panopt /root # uname -a
Linux panopt 6.12.31-gentoo-dist-hardened #1 SMP PREEMPT_DYNAMIC Wed Jun 11 00:06:53 -00 2025 x86_64 Intel(R) N150 GenuineIntel GNU/Linux

The kernel is configured.

Code: Select all

0 panopt /root # for C in CONFIG_NF_CONNTRACK CONFIG_INET CONFIG_IP_ADVANCED_ROUTER CONFIG_NETFILTER CONFIG_NETFILTER_ADVANCED CONFIG_IP6_NF_IPTABLES; do
echo checking $C
zgrep "${C}=" /proc/config.gz
echo
done

checking CONFIG_NF_CONNTRACK
CONFIG_NF_CONNTRACK=m

checking CONFIG_INET
CONFIG_INET=y

checking CONFIG_IP_ADVANCED_ROUTER
CONFIG_IP_ADVANCED_ROUTER=y

checking CONFIG_NETFILTER
CONFIG_NETFILTER=y

checking CONFIG_NETFILTER_ADVANCED
CONFIG_NETFILTER_ADVANCED=y

checking CONFIG_IP6_NF_IPTABLES
CONFIG_IP6_NF_IPTABLES=m

Forwarding is allowed

Code: Select all

0 panopt /root # sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

0 panopt /root # sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 1

No fires in these walls, though I will set up a firewall once basic connectivity is working.

Code: Select all

0 panopt /root # nft list ruleset
0 panopt /root #

Just for completeness I checked iptables too. Guess docker uses it (Is there a way to change that?). Looks open.

Code: Select all

0 panopt /root # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-FORWARD  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:8971
ACCEPT     udp  --  anywhere             172.18.0.2           udp dpt:8555
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:8555
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:8554
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain DOCKER-BRIDGE (1 references)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            

Chain DOCKER-CT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
target     prot opt source               destination         
DOCKER-CT  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
DOCKER-BRIDGE  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Routing is correct.

Code: Select all

0 panopt /root # netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         aperture.intern 0.0.0.0         UG        0 0          0 enp1s0
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 enp1s0
10.0.3.0        0.0.0.0         255.255.255.0   U         0 0          0 br0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-01ee151b7eed

I am cribbing heavily from this guide to bridge the router's wifi nic to one of its ethernet nics. That's all working.

Clients on the camera net (10.0.3.0/24) get correct dhcp and dns information and can resolve names. Packets do not traverse the router. Note: masquerading is not necessary since the border router knows where to send packets for the cam net.

I've set up a NAT router a dozen times and this is driving me nuts.

Post by **NeddySeagoon** » Tue Jun 24, 2025 7:02 pm

brundage,

Without masquerading/NAT packets from the 10.0.3.0/24 net will have 10.0.3.0/24 addresses.
How will hosts on 10.0.0.0/24 receive them.
Forwarding will do that for you.

You will need a 10.0.3.0/24 address to actually receive them.

Does wireshark on tcpdump show these packets?

brundage · Post by **brundage** » Tue Jun 24, 2025 7:23 pm

NeddySeagoon wrote:brundage,

Without masquerading/NAT packets from the 10.0.3.0/24 net will have 10.0.3.0/24 addresses.
How will hosts on 10.0.0.0/24 receive them.
Forwarding will do that for you.

You will need a 10.0.3.0/24 address to actually receive them.

Yah, panopt (the camera net router) has a default route to aperture (the border router) and aperture has a route to panopt for the 10.0.3.0/24 network.

NeddySeagoon wrote:Does wireshark on tcpdump show these packets?

I swear I did this to verify packets weren't traversing panopt, but it looks like the border router (aperture) is blocking them. That solves the problem in this post. Thanks for the nudge.

New at Gentoo · Post by **pietinger** » Tue Jun 24, 2025 7:32 pm

brundage wrote:[...] Just for completeness I checked iptables too. Guess docker uses it (Is there a way to change that?). Looks open.

Not quite ... yes, anything INTO this station is allowed -> Chain INPUT (policy ACCEPT) ... and everything out: Chain OUTPUT (policy ACCEPT) ... but look at FORWARD

Code: Select all

0 panopt /root # iptables -L
...
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-FORWARD  all  --  anywhere             anywhere            
...
Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:8971
ACCEPT     udp  --  anywhere             172.18.0.2           udp dpt:8555
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:8555
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:8554
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain DOCKER-BRIDGE (1 references)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            

Chain DOCKER-CT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
target     prot opt source               destination         
DOCKER-CT  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
DOCKER-BRIDGE  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

FORWARD -> DOCKER-USER (does nothing) -> FORWARD -> DOCKER-FORWARD -> DOCKER-CT (allows already established communication; BUT NO NEW) -> DOCKER-ISOLATION-STAGE-1 (does nothing but jumping to) -> DOCKER-ISOLATION-STAGE-2 -> DROPS everything == end of checking rules; all other rules will never be checked ...

... this means: FORWARD is actually not possible.

BTW: Some rules are doubled; so there must have been a problem with creating the rules ... I would delete all AND LEAVE the default policy for FORWARD to ACCEPT (like it is now).

brundage · Post by **brundage** » Tue Jun 24, 2025 7:44 pm

pietinger wrote:

brundage wrote:[...] Just for completeness I checked iptables too. Guess docker uses it (Is there a way to change that?). Looks open.

Not quite ... yes, anything INTO this station is allowed -> Chain INPUT (policy ACCEPT) ... and everything out: Chain OUTPUT (policy ACCEPT) ... but look at FORWARD

Code: Select all

0 panopt /root # iptables -L
...
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-FORWARD  all  --  anywhere             anywhere            
...
Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:8971
ACCEPT     udp  --  anywhere             172.18.0.2           udp dpt:8555
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:8555
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:8554
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain DOCKER-BRIDGE (1 references)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            

Chain DOCKER-CT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
target     prot opt source               destination         
DOCKER-CT  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
DOCKER-BRIDGE  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

FORWARD -> DOCKER-USER (does nothing) -> FORWARD -> DOCKER-FORWARD -> DOCKER-CT (allows already established communication; BUT NO NEW) -> DOCKER-ISOLATION-STAGE-1 (does nothing but jumping to) -> DOCKER-ISOLATION-STAGE-2 -> DROPS everything == end of checking rules; all other rules will never be checked ...

... this means: FORWARD is actually not possible.

BTW: Some rules are doubled; so there must have been a problem with creating the rules ... I would delete all AND LEAVE the default policy for FORWARD to ACCEPT (like it is now).

I see that now. Good eye. I'll untangle that mess too. Thanks.

New at Gentoo · Post by **pietinger** » Wed Jun 25, 2025 12:10 pm

brundage wrote:I see that now. Good eye. I'll untangle that mess too. Thanks.

Please forget all what I said ... sometimes I am an idiot ...

... I am so used to do ALWAYS a "iptables -L -vn" ... the -v is important to get also the information about the interface ... and yes I saw no interface information ... which had lead me to a false conclusion ... please see the difference:

Code: Select all

# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
...

Yes, the first rule is only for the loopback:

Code: Select all

# iptables -L -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 971M 1207G ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 594M 1193G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
...

brundage · Post by **brundage** » Wed Jun 25, 2025 2:08 pm

pietinger wrote:
brundage wrote:I see that now. Good eye. I'll untangle that mess too. Thanks.
Please forget all what I said ... sometimes I am an idiot ... ... I am so used to do ALWAYS a "iptables -L -vn" ... the -v is important to get also the information about the interface ... and yes I saw no interface information ... which had lead me to a false conclusion ... please see the difference:
Code: Select all
# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
...
Yes, the first rule is only for the loopback:
Code: Select all
# iptables -L -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 971M 1207G ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 594M 1193G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
...

pietinger wrote:Please forget all what I said ... sometimes I am an idiot ...

It happens to the best of us sometimes. I couldn't figure out why packets weren't getting routed when they really were. (-:

Looking at iptables -L -vn shows that the forward blocking is only on the docker interfaces, so that's sorted.

Post by Hu » Wed Jun 25, 2025 2:22 pm

The missing information from iptables -L is why I always request iptables-save -c instead. That is designed to be a machine-readable way to exactly reproduce the current rules, so it is required to contain everything, with no bits hidden away as "usually not important to the typical administrator" the way that, for example, non-verbose iptables -L hides interface name requirements.

Router not routing

Router not routing

Re: Router not routing

Re: Router not routing

Re: Router not routing

Re: Router not routing