Strange network routing problem

I just found a strange network routing problem with my Manjaro box.

I am running my home network behind a Fritz!Box, which does all the routing and the internet connection. This Fritz!Box also establishes a VPN connection to my Mom’s home. The weird matter of the fact is, that I cannot connect to my Mom’s network from my Manjaro system. It however works from my Raspberry Pi4 running pihole as the local nameserver. No static routes (IPv4 or IPv6) or other settings, which could impact the routing, are active on the Fritz!Box.

Local network:

local ip4 (troja, Manjaro Linux)
nameserver (pihole, Raspberry Pi OS)

Remote network:


Doing a nslookup of the remote Fritz!Box gives the absolutely same response an both machines:

[stefan@troja ~]$ nslookup fritzfn


[stefan@troja ~]$ ssh pihole nslookup fritzfn


Trying to ping the remote Fritz!Box fritzfn from both systems looks like this:

[stefan@troja ~]$ ping fritzfn
PING ( 56(84) bytes of data.
From ( icmp_seq=1 Destination Net Unreachable
From ( icmp_seq=2 Destination Net Unreachable
From ( icmp_seq=3 Destination Net Unreachable
From ( icmp_seq=4 Destination Net Unreachable
--- ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3004ms

[stefan@troja ~]$ ssh pihole ping fritzfn
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=63 time=48.3 ms
64 bytes from ( icmp_seq=2 ttl=63 time=34.6 ms
64 bytes from ( icmp_seq=3 ttl=63 time=36.8 ms

The routing tables on both machines indicate, that traffic to 192.168.200.x should be routed via the default route:

[stefan@troja ~]$ ip route show
default via dev eno1 proto dhcp metric 100 dev cni-podman0 proto kernel scope link src dev cni-podman2 proto kernel scope link src linkdown dev virbr0 proto kernel scope link src linkdown dev eno1 proto kernel scope link src metric 100 dev virbr1 proto kernel scope link src linkdown 

[stefan@troja ~]$ ssh pihole ip route show
default via dev eth0 proto dhcp src metric 202 dev wg0 proto kernel scope link src dev eth0 proto dhcp scope link src metric 202 

Now the question, why is traffic routing to the remote network 192.168.200.x different depending on the initiating host?

The problem is independent from the network interface. It exists when connected to my router via Ethernet or WiFi.

Check your DNS resolver configuration while connected to your vpn.

As shown from your logs - your attempt to ping the remote address is routed through your normal network connection doing a nslookup.

Because no route exist which knows where to find the hostname you get destination unreachable.

Note the request is answered by

This is indeed strange, from all you have shown of the configuration this should be sufficient for the Fritz!Box to route the traffic to the right interface/network as it does for the pihole in the same network. Does the Fritz!Box have any routing settings (i’m not familair with these devices)

This seems to be the external interface of the Fritz!Box so my guess is that the problem lies in the traffic management on the Fritz!Box. Does a traceroute from both machines give some leads as to where to look?

Thanks for your hints. In my case, thjere is no DNS resolver configuration, which could be checked while connected to the VPN. The VPN is established direct between the two Fritz!Box routers. The Fritz!Box offers this functionality. This also means, that the Fritz!Box should be aware of the routing between the 2 networks. I don’t understand, what is the difference between my Manjaro box and the Raspberry Pi.

The complete network looks like this:

FritzBox1 ------------ VPN ----------- FritzBox2                
  |                                     |
  +--- troja (           ...
  +--- pihole (192,168.178.5, nameserver)

When working on pihole, the connection to the remote network is working. Doing the same from troja leads to the effect described above.

Thanks Hanzel,

The server is indeed the external interface provided by T-Online.
for me, the traceroute does not provide additional info:

[stefan@troja ~]$ traceroute fritzfn
traceroute to fritzfn (, 30 hops max, 60 byte packets
 1  _gateway (  12.736 ms  12.674 ms  12.643 ms
 2 (  35.119 ms !N  35.084 ms !N  35.055 ms !N
[stefan@troja ~]$ ssh pihole traceroute fritzfn
traceroute to fritzfn (, 30 hops max, 60 byte packets
 1 (  0.549 ms  1.186 ms  1.129 ms
 2 (  36.570 ms  45.627 ms  45.699 ms

Since the same gateway ( decides the trafic from the manjaro machine is routed to the internet, could there be a setting inside the Fritz!Box that only allows certain machines on the 192.168.178.x network to be routed to 192.168.200.x? From what I can read here(dutch support page) the box has some options to restrict access to certain physical ports to.

Other then this I have no more ideas or advice to give.

Thanks Hanzel,

this was exactly the hint I was looking for. Sometimes I don’t see the forest among all those trees…
The Fritz!Box has advanced settings, which allow to limit the VPN access to only specific devices in the local network. My Raspberry was part of this list. Unfortunately my Manjaro machine was not on it…

Thanks for your great support in this forum! :smiley:

1 Like

please don’t forget that you mark @Hanzel for his solution.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.