Strange network routing problem

stenny.schober · 27 April 2022 09:29

I just found a strange network routing problem with my Manjaro box.

I am running my home network behind a Fritz!Box, which does all the routing and the internet connection. This Fritz!Box also establishes a VPN connection to my Mom’s home. The weird matter of the fact is, that I cannot connect to my Mom’s network from my Manjaro system. It however works from my Raspberry Pi4 running pihole as the local nameserver. No static routes (IPv4 or IPv6) or other settings, which could impact the routing, are active on the Fritz!Box.

Local network:

address 192.168.178.0/24
local ip4 192.168.178.46 (troja, Manjaro Linux)
nameserver 192.168.178.5 (pihole, Raspberry Pi OS)
fritzbox 192.168.178.1

Remote network:

address 192.168.200.0/24
fritzbox 192.168.200.1

Doing a nslookup of the remote Fritz!Box gives the absolutely same response an both machines:

[stefan@troja ~]$ nslookup fritzfn
Server:     192.168.178.5
Address:    192.168.178.5#53

Name:   fritzfn.fritz.box
Address: 192.168.200.1

[stefan@troja ~]$ ssh pihole nslookup fritzfn
Server:     192.168.178.5
Address:    192.168.178.5#53

Name:   fritzfn.fritz.box
Address: 192.168.200.1

Trying to ping the remote Fritz!Box fritzfn from both systems looks like this:

[stefan@troja ~]$ ping fritzfn
PING fritzfn.fritz.box (192.168.200.1) 56(84) bytes of data.
From p3e9bf2ae.dip0.t-ipconnect.de (62.155.242.174) icmp_seq=1 Destination Net Unreachable
From p3e9bf2ae.dip0.t-ipconnect.de (62.155.242.174) icmp_seq=2 Destination Net Unreachable
From p3e9bf2ae.dip0.t-ipconnect.de (62.155.242.174) icmp_seq=3 Destination Net Unreachable
From p3e9bf2ae.dip0.t-ipconnect.de (62.155.242.174) icmp_seq=4 Destination Net Unreachable
--- fritzfn.fritz.box ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3004ms

[stefan@troja ~]$ ssh pihole ping fritzfn
PING fritzfn.fritz.box (192.168.200.1) 56(84) bytes of data.
64 bytes from fritzfn.fritz.box (192.168.200.1): icmp_seq=1 ttl=63 time=48.3 ms
64 bytes from fritzfn.fritz.box (192.168.200.1): icmp_seq=2 ttl=63 time=34.6 ms
64 bytes from fritzfn.fritz.box (192.168.200.1): icmp_seq=3 ttl=63 time=36.8 ms

The routing tables on both machines indicate, that traffic to 192.168.200.x should be routed via the default route:

[stefan@troja ~]$ ip route show
default via 192.168.178.1 dev eno1 proto dhcp metric 100 
10.10.10.0/24 dev cni-podman0 proto kernel scope link src 10.10.10.1 
10.88.2.0/24 dev cni-podman2 proto kernel scope link src 10.88.2.1 linkdown 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 
192.168.178.0/24 dev eno1 proto kernel scope link src 192.168.178.46 metric 100 
192.168.222.0/24 dev virbr1 proto kernel scope link src 192.168.222.1 linkdown 

[stefan@troja ~]$ ssh pihole ip route show
default via 192.168.178.1 dev eth0 proto dhcp src 192.168.178.5 metric 202 
172.22.0.0/24 dev wg0 proto kernel scope link src 172.22.0.1 
192.168.178.0/24 dev eth0 proto dhcp scope link src 192.168.178.5 metric 202

Now the question, why is traffic routing to the remote network 192.168.200.x different depending on the initiating host?

The problem is independent from the network interface. It exists when connected to my router via Ethernet or WiFi.

linux-aarhus · 27 April 2022 09:37

Check your DNS resolver configuration while connected to your vpn.

As shown from your logs - your attempt to ping the remote address is routed through your normal network connection doing a nslookup.

Because no route exist which knows where to find the hostname you get destination unreachable.

Note the request is answered by

p3e9bf2ae.dip0.t-ipconnect.de

Hanzel · 27 April 2022 10:19

This is indeed strange, from all you have shown of the configuration this should be sufficient for the Fritz!Box to route the traffic to the right interface/network as it does for the pihole in the same network. Does the Fritz!Box have any routing settings (i’m not familair with these devices)

This seems to be the external interface of the Fritz!Box so my guess is that the problem lies in the traffic management on the Fritz!Box. Does a traceroute from both machines give some leads as to where to look?

stenny.schober · 27 April 2022 10:22

Thanks for your hints. In my case, thjere is no DNS resolver configuration, which could be checked while connected to the VPN. The VPN is established direct between the two Fritz!Box routers. The Fritz!Box offers this functionality. This also means, that the Fritz!Box should be aware of the routing between the 2 networks. I don’t understand, what is the difference between my Manjaro box and the Raspberry Pi.

The complete network looks like this:

FritzBox1 ------------ VPN ----------- FritzBox2
192.168.178.1                          192.168.200.1
  |                                     |
  +--- troja (192.168.178.46)           ...
  |
  +--- pihole (192,168.178.5, nameserver)

When working on pihole, the connection to the remote network is working. Doing the same from troja leads to the effect described above.

stenny.schober · 27 April 2022 10:31

Thanks Hanzel,

The server p3e9bf2ae.dip0.t-ipconnect.de is indeed the external interface provided by T-Online.
for me, the traceroute does not provide additional info:

[stefan@troja ~]$ traceroute fritzfn
traceroute to fritzfn (192.168.200.1), 30 hops max, 60 byte packets
 1  _gateway (192.168.178.1)  12.736 ms  12.674 ms  12.643 ms
 2  p3e9bf2ae.dip0.t-ipconnect.de (62.155.242.174)  35.119 ms !N  35.084 ms !N  35.055 ms !N
[stefan@troja ~]$ ssh pihole traceroute fritzfn
traceroute to fritzfn (192.168.200.1), 30 hops max, 60 byte packets
 1  fritzbox.fritz.box (192.168.178.1)  0.549 ms  1.186 ms  1.129 ms
 2  fritzfn.fritz.box (192.168.200.1)  36.570 ms  45.627 ms  45.699 ms

Hanzel · 27 April 2022 11:24

Since the same gateway (192.168.178.1) decides the trafic from the manjaro machine is routed to the internet, could there be a setting inside the Fritz!Box that only allows certain machines on the 192.168.178.x network to be routed to 192.168.200.x? From what I can read here(dutch support page) the box has some options to restrict access to certain physical ports to.

Other then this I have no more ideas or advice to give.

stenny.schober · 27 April 2022 16:25

Thanks Hanzel,

this was exactly the hint I was looking for. Sometimes I don’t see the forest among all those trees…
The Fritz!Box has advanced settings, which allow to limit the VPN access to only specific devices in the local network. My Raspberry was part of this list. Unfortunately my Manjaro machine was not on it…

Thanks for your great support in this forum!

Olli · 27 April 2022 16:45

please don’t forget that you mark @Hanzel for his solution.

system · 30 April 2022 06:46

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.