Page 1 of 1

Routed network does forward icmp but not http

Posted: Wed Jun 08, 2016 11:00 am
by 1001001
Hello everyone,

I just build a vpn setup that terminates into a Watchguard device.
The setup looks as follows.

1. The VPN Client (RB751G) connects to the VPN Server which has the IP Address 212.53.XXX.XXX
2. The VPN Client obtains a tunnel IP (local & remote) of 10.1.30.3 (local) and 10.1.30.1 (remote)
3. All traffic that is produced by clients connected to the VPN Client get routed out of the sstp-out interface
4. The VPN Server ist connected to the Watchguard with the IP address 10.10.0.2, while the Watchguard has the IP 10.10.0.1
5. All traffic coming from the VPN Client with the IP address 10.1.30.3 to the VPN server is routed from the VPN Server to the Watchguard (10.1.30.0/24 to 10.10.0.1 on interface ether1)

So far so good, the funny thing is everything seems to be setup just fine bute the only traffic i can push through this construct ist icmp. I can see http traffice traversing the interface to the watchguard but it doesn't reach the VPN Client. I am missing something but i don't know what.
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes src-address=10.1.30.0/24 \
    to-addresses=10.10.0.1
add action=masquerade chain=srcnat src-address=10.1.30.0/24 to-addresses=\
    10.10.0.1
add action=masquerade chain=srcnat dst-address=10.1.30.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=0.0.0.0/0 \
    new-routing-mark=vpn
add action=mark-routing chain=prerouting in-interface=ether1-Watchguard-egress \
    new-routing-mark=vpn-out src-address=0.0.0.0/0
add action=mark-routing chain=prerouting new-routing-mark=vpn src-address=\
    10.1.30.0/24
add action=mark-routing chain=prerouting dst-address=10.1.30.0/24 \
    new-routing-mark=vpn-out
/ip route
add distance=1 dst-address=10.1.30.0/24 gateway=10.10.0.1 routing-mark=vpn
add distance=2 gateway=212.53.XXX.XXX
/ip route rule
add routing-mark=vpn table=vpn
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  10.1.30.0/24                       10.10.0.1                 1
 1 A S  0.0.0.0/0                          212.53.151.1              2
 2 ADC  10.1.30.3/32       10.1.30.1       <sstp-test>               0
 3 ADC  10.10.0.0/24       10.10.0.2       ether1-Watchgua...        0
 4 ADC  172.16.30.0/24     172.16.30.6     local-bridge              0
 5 ADC  212.53.XXX.XXX/XX    212.53.XXX.XXX   ether2-gateway            0
 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   212.53.XXX.XXX/XX   212.53.XXX.XXX    ether2-gateway                           
 1   172.16.30.6/24     172.16.30.0     ether8-vpn-gateway                       
 2   10.10.0.2/24       10.10.0.0       ether1-Watchguard-egress                 
 3 XI 212.53.XXX.XXX/XX   212.53.XXX.XXX    ether7-failover-gateway                  
 4 D 10.1.30.1/32       10.1.30.3       <sstp-test> 

Re: Routed network does forward icmp but not http

Posted: Wed Jun 08, 2016 11:30 am
by pe1chl
When you make a TCP connection, do you get a connection that later gets stuck (no data), or is the connection
not established at all?

Re: Routed network does forward icmp but not http

Posted: Wed Jun 08, 2016 11:37 am
by 1001001
The connection gets established I can see it when I torch the interface that faces the Watchguard but the client doesn't receive the replies.

Re: Routed network does forward icmp but not http

Posted: Wed Jun 08, 2016 12:35 pm
by pe1chl
Then it is a MTU problem, usually combined with bad firewall configuration.
You need to make sure that ICMP is not dropped.
But it usually does not hurt to add a "clamp MSS to PMTU" rule for protocol TCP in the mangle table.

Re: Routed network does forward icmp but not http

Posted: Wed Jun 08, 2016 12:41 pm
by BartoszP
To see what value of MTU is the problem just ping with larger packets and watch when it stops working.

Re: Routed network does forward icmp but not http

Posted: Wed Jun 08, 2016 12:52 pm
by 1001001
Then it is a MTU problem, usually combined with bad firewall configuration.
You need to make sure that ICMP is not dropped.
But it usually does not hurt to add a "clamp MSS to PMTU" rule for protocol TCP in the mangle table.
Ok, how would i set this rule? I have never done that before.

Edit: ICMP packets are the only ones that can traverse the network, everything else gets lost at the VPN server.

Re: Routed network does forward icmp but not http

Posted: Wed Jun 08, 2016 12:53 pm
by 1001001
To see what value of MTU is the problem just ping with larger packets and watch when it stops working.
It stops after a packet size of 1500.

Re: Routed network does forward icmp but not http

Posted: Wed Jun 08, 2016 2:41 pm
by pe1chl
Then it is a MTU problem, usually combined with bad firewall configuration.
You need to make sure that ICMP is not dropped.
But it usually does not hurt to add a "clamp MSS to PMTU" rule for protocol TCP in the mangle table.
Ok, how would i set this rule? I have never done that before.

Edit: ICMP packets are the only ones that can traverse the network, everything else gets lost at the VPN server.
The way to insert such a rule would be:
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
Paste this in a terminal window.
It is not necessary in a network where everything w.r.t. ICMP processing works OK, but unfortunately that
is often not the case.
It may be that you need to do a similar thing inside the VPN server.

Re: Routed network does forward icmp but not http

Posted: Wed Jun 08, 2016 3:49 pm
by 1001001
Ok, I've put it in the config but it didn't have the desired effect. The problem still exists. ICMP works, TCP doesn't.

Re: Routed network does forward icmp but not http

Posted: Wed Jun 08, 2016 5:15 pm
by pe1chl
Then you can change it from "clamp to PMTU" into some fixed value that is small enough for the VPN that
you are using. When in doubt, try 1280 and when worried about small performance differences increase
it until it again fails.

Re: Routed network does forward icmp but not http

Posted: Wed Jun 08, 2016 5:31 pm
by 1001001
Tried that too, didn't work either. I'm starting to think that its more of a routing problem. If it would be the mtu then I think I wouldn't see the tcp traffic flowing into the interface thats connected to the Watchguard and coming out of the Watchguard.

Just to be clear the traffic traverses the network from VPN client to VPN server to watchguard just fine, it even comes back into the Watchguard connected interface but is then not forwarded to the VPN (sstp) client interface. Thats why I belive that something must be amiss with the VPN Server configuration but I can't find anything.

Re: Routed network does forward icmp but not http

Posted: Thu Jun 09, 2016 9:01 am
by 1001001
bump.

Re: Routed network does forward icmp but not http

Posted: Thu Jun 09, 2016 10:46 am
by pe1chl
The problem is probably not inside the MikroTik but in one of your other devices or networks.
You will need to debug this yourself as this is too specific to know what is happening from the outside.

Re: Routed network does forward icmp but not http

Posted: Thu Jun 09, 2016 11:08 am
by 1001001
That's not very helpful. Since every attempt to establish a connection fail at the VPN Server the problem has to be there. Someone here has to have had a similar experience with a similar setup its not that exotic. I'm just routing traffic out a specific interface and don't get it routed back. I tried playing with routes but none will take, tried some mangle rules didn't help. Could it be a nat problem?

Re: Routed network does forward icmp but not http

Posted: Thu Jun 09, 2016 11:44 am
by pe1chl
As I said, you'll need to diagnose it yourself.
Use the packet sniffer tool to look at the network traffic at the different interfaces and see where it fails and why.

Re: Routed network does forward icmp but not http

Posted: Thu Jun 09, 2016 12:23 pm
by 1001001
We'll did a packet capture, which as I expected didn't tell me anything new. The traffic comes in one interface and doesn't go out the other. ... I don't get it ... this is a real bummer.

Is there another way to implement a network where traffic from a VPN client is forwarded through the VPN Server to another device that does packet filtering?