Firewall reply Port unreachable, other PC on same network can reach it

Hello all,

I have a strange behaviour I try to get a connection to the modbus server on a network that is connected via VPN.
System 1 receives a port unreachable message form the ipfire.
System 2 can connect without problems.
System 3 receives a port unreachable message form the ipfire.

First I tried the default port for modbus 502 and then changed it to 12999 for testing.
The System 1 (IP xx.xx.100.131) is a Windows Server 2019 running as a VM on Proxmox VE.
The System 2 (IP xx.xx.100.40) is a Windows Workstation 10 on real Hardware.
The System 3 (IP xx.xx.100.83) is a Windows Workstation 10 running as a VM on VMWare Workstation 16.2. on System 2.

At the moment I have no idea what is causing this. In the firewall log I did not find anything about it.
Please see the screenshots of Wireshark

I check on the second IPFire on the other side of the VPN Tunnel there arrive only packages from System 1 (xx.xx.100.40)

Any ideas a very welcome :slight_smile:

Best regards
–Der Zauberlehrling

You clearly have a routing problem in the two virtual machines, but I cannot figure out the topology of your network based on your description. Are system 1, 2 and 3 attached to an IPFire machine and you are trying to have them visible on the other side of an N2N tunnel?

Hello, thank you for your answer,

I don’t think it is a routing problem. I can reach the webserver of the remote system (which is an inverter from a Photovoltaic system from SMA) on port 443 and 80 from all 3 systems.

I see some strange retransmits, but it works. It seems that only other ports are blocked by the firewall.

I thought the topology would be clear from the ip addresses, but to clarify this system 1-3 are in one segment (class C) on location 1 the IPFire is the Internet Router and creates a VPN to location 2 where is another IPFire and the system there are in the class C network

The VMs are configured with bridged networking and they have their own ip address and do not use NAT within the hypervisor.

Best regards
– Der Zauberlehrling

Solved it :slight_smile:

I created a firewall rule that allows all trafic from network to network and 2 second backward.
Now I can conect to my inverter on port 12999, but I still do not understand exaclty why it was workin from my workstation and why I could connect on port 80 or port 443…

–Der Zauberlehrling