Debian Server - clients can't ping between interfaces (eth0-wlan0) / subnets

Question

I can't ping clients between interfaces/subnets e.g. pinging from Mac (10.42.0.82), which is connected to eth0 to the Android (10.42.1.150) which is connected to wlan0.

Note: I can access internet from all devices.

How to forward connection between these devices?

There is quick drawing of my network:

Debian Server with 3 interfaces:

wlan1 (192.168.1.25) - internet access
eth0 (10.42.0.1) - clients 10.42.0.0/24
wlan0 (10.42.1.0) - clients 10.42.1.0/24

besides that, there is OpenVPN running on Debian Server so (tun0 is present as well)*

Outputs from Mac:

ping 192.168.150

PING 10.42.1.150 (10.42.1.150): 56 data bytes
92 bytes from machine (10.42.0.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 fc85   0 0000  3f  01 68e8 10.42.0.82  10.42.1.150 

Request timeout for icmp_seq 0
92 bytes from machine (10.42.0.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 6410   0 0000  3f  01 015e 10.42.0.82  10.42.1.150

Outputs from Debian:

Dumping packets while pinging Android from Mac:

tcpdump -i eth0 -c 10 -n icmp

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:50:25.884193 IP 10.42.0.82 > 10.42.1.190: ICMP echo request, id 52703, seq 0, length 64
12:50:25.884420 IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.190 protocol 1 port 4212 unreachable, length 92
12:50:26.889535 IP 10.42.0.82 > 10.42.1.190: ICMP echo request, id 52703, seq 1, length 64
12:50:26.889806 IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.190 protocol 1 port 64299 unreachable, length 92
12:50:27.892862 IP 10.42.0.82 > 10.42.1.190: ICMP echo request, id 52703, seq 2, length 64
12:50:27.893158 IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.190 protocol 1 port 60917 unreachable, length 92
12:50:28.897111 IP 10.42.0.82 > 10.42.1.190: ICMP echo request, id 52703, seq 3, length 64
12:50:28.897405 IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.190 protocol 1 port 56949 unreachable, length 92

tcpdump -i wlan0 -c 10 -n icmp

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

...silence...

netstat -nr

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlan1
10.8.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
10.42.0.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.42.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wlan0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan1

ip route

default via 192.168.1.1 dev wlan1 proto dhcp src 192.168.1.25 metric 601 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 
10.42.0.0/24 dev eth0 proto kernel scope link src 10.42.0.1 metric 100 
10.42.1.0/24 dev wlan0 proto kernel scope link src 10.42.1.1 metric 600 
192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.25 metric 601

iptables-save

# Generated by iptables-save v1.8.8 (nf_tables) on Wed Nov  9 12:38:09 2022
*filter
:INPUT ACCEPT [6046:607118]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10078:1146969]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i wlan1 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i wlan1 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -o wlan1 -j ACCEPT
-A FORWARD -i wlan1 -o tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -o wlan1 -j ACCEPT
-A FORWARD -i wlan1 -o tun0 -j ACCEPT
-A FORWARD -j ACCEPT
COMMIT
# Completed on Wed Nov  9 12:38:09 2022
# Generated by iptables-save v1.8.8 (nf_tables) on Wed Nov  9 12:38:09 2022
*nat
:PREROUTING ACCEPT [3107:427832]
:INPUT ACCEPT [826:76600]
:OUTPUT ACCEPT [1808:145801]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o wlan1 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 192.168.1.25
COMMIT
# Completed on Wed Nov  9 12:38:09 2022
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

cat /proc/sys/net/ipv4/ip_forward

Thank you for any advice which will push me to desired resolution of this!

is there a particular reason you use NAT instead of bridging? I ask because people seem to unnecessarily split up their home networks and apply NAT — Stack Exchange Supports Israel, Commented Nov 10, 2022 at 10:20
Thank you for suggestion, I see what you are saying. Bridging is the option but not the answer for this question - I think that this setup is not wrong from the start. If you are keen to elaborate more on this, see more info there: serverfault.com/questions/1115223/… — sbx, Commented Nov 11, 2022 at 9:12

Volodymyr Kalinyak · Accepted Answer · 2022-11-10 20:42:19Z

0

You'r NAT rules are very suspicious. I would suggest following:

iptables -t nat -F&&iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE - remove all NAT rules and only use NAT for WAN communication (wlan1)

You may be using wrong IP adress to ping. Please do check IP of an Android device again before pinging it. I can see 192.168.1.150 from an ping output and 192.168.1.190 from traffic capture at eth0. Traffic capture indicates as if server doesn't know any device with an IP of 192.168.1.190 therefore packets with that destination are rejected.

answered Nov 10, 2022 at 20:42

Volodymyr Kalinyak

212 bronze badges

Thank you for suggestion, iptables are generated by som OpenVPN script, even if I do what you adviced it's without success. Anyway - good point of wrong log 10.42.1.190 & 1.42.150 missleading ping log - there is another device connected, which is not marked, so I cleaned everything you mentioned there: serverfault.com/questions/1115223/… I will be glad if you check current state of the issue. Thank you Volodymyr!
– sbx
Commented Nov 11, 2022 at 9:10
You can modify openvpn script or run following: iptables -t nat -F&&iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE manually. If Mac computer still cannot ping Android device I am out of ideas, outherwise you may have to modify openvpn scripts.
– Volodymyr Kalinyak
Commented Nov 11, 2022 at 20:27

Add a comment |

Stack Exchange Network

Debian Server - clients can't ping between interfaces (eth0-wlan0) / subnets

...silence...

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
linux
networking
wireless-networking
iptables
ping
.

Hot Network Questions

Debian Server - clients can't ping between interfaces (eth0-wlan0) / subnets

...silence...

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged linuxnetworkingwireless-networkingiptablesping.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
linux
networking
wireless-networking
iptables
ping
.