Can ping but unable to join over tcp with static route

Hi there,

I just made an ipfire installation on a APU2C4 and everything is working as expected except one thing.

This is my home setup :

There is a wireguard tunnel between homeserver and SERVER on the subnet 172.21.42.0/24.

On ipfire, I added a static route with : 172.21.42.0/24 via 192.168.10.248.

From homeserver : ping ok and wget http://172.21.42.1 ok.
From laptop : ping ok and wget nok.

In ipfire logs, I just see :
DROP_NEWNOTSYN green0 TCP 192.168.10.110 172.21.42.1 56838 80(HTTP)

The worst, when I try telnet 172.21.42.1 80 from laptop, it’s ok but I can’t get /

Anyone would have an idea ? It starts to turn me crazy.

Thanks.

NEWNOTSYN means that the IPFire has recieved a paket that could not assigned to a connection. Most common reason is that the other peer has already closed it. Are you sure that the other peer has accepted the connection?

I am not sure if the other peer accepted the connection.
This morning I juste made others tests from another laptop and everything is working.

Yesterday evening, I created a firewall rule : Green -> allow 192.168.10.0/24 to 172.21.42.0/24
But from the first laptop it was not working.

This morning from a new one, it works.
For testing purposes I deleted the rule, and from the new laptop : nothing, no connection to the remote web server but icmp is ok !

I just enabled again the rule and tested from another web browser and everything worked back again few seconds later.
It’s quite difficult for me to understand this behavior.

First question should be : Do I need to create a rule to allow traffic from lan to this remote network ?

In the default profile traffic from green to green is blocked so you need a rule to allow it.

ICMP is always allowed because this is also needed get error messages like port not reachable or MTU error reorts so there is a default rule that allow all ICMP traffic. (only ICMP redirects are ignored by the kernel for security reasons)

Great, thank for this answer.
I’ll try to troubleshoot this later, but it seems to be a part of the solution.

Is there a kind of timer for the firewall new rules application ?

No If you click on apply changes it will loaded into iptables. But if you add a rule that block something it not cut allready established tcp connections.

1 Like