**** BEGIN LOGGING AT Thu Dec 09 02:59:56 2021
Dec 09 14:52:43 <sicelo> networking SOS please :-)
Dec 09 14:53:24 <bencoh> ?
Dec 09 14:53:46 <bencoh> lemme guess - you need a tunnel/vpn of some sort?
Dec 09 14:54:09 <sicelo> https://paste.debian.net/1222770/
Dec 09 14:54:17 <bencoh> ah, nevermind :)
Dec 09 14:54:51 <sicelo> i have the scenario in this paste - is there anything i could/should do to make pings work from wlan0 to lxcbr0 ?
Dec 09 14:55:10 <bencoh> from wlan0 to lxcbr0?
Dec 09 14:55:48 <bencoh> I don't think ping -I wlan0 does what you expected
Dec 09 14:56:00 <sicelo> yes :-(
Dec 09 14:56:22 <bencoh> you basically want to test if your lxc container is reachable from another computer connected to the wifi network?
Dec 09 14:56:28 <sicelo> it sends it out the default gw, which of course doesn't know about 10.0.3.0/24 network
Dec 09 14:56:43 <sicelo> bencoh: yes, something like that :-)
Dec 09 14:57:06 <bencoh> you'll need a bit more than just ip_forward then
Dec 09 14:57:22 <sicelo> not masquerade, i hope :-/
Dec 09 14:58:01 <bencoh> if you only want lxc->world, then masquerade
Dec 09 14:58:03 <bencoh> (it's not that hard)
Dec 09 14:58:32 <bencoh> if you also want world->lxc, then you need to NOT use nat/masquerade, AND setup routes both ways
Dec 09 14:58:47 <bencoh> but first you also need to set /proc/sys/net/ipv4/conf/eth0/forwarding for every interface involved
Dec 09 14:58:52 <bencoh> in your case, lxc0 and wlan0
Dec 09 14:59:33 <bencoh> and you need to set routes both ways, ie the remote computer needs to know how to reach the lxc
Dec 09 15:00:12 <sicelo> right. maybe let me ask the real question (i was simplifying a bit here, because of a quick test i made on my laptop)
Dec 09 15:00:19 <bencoh> (or the router, if you intend to connect your lxc to the world without masquerading on the laptop)
Dec 09 15:03:59 <sicelo> bencoh: https://paste.debian.net/1222775/ 
Dec 09 15:04:55 <sicelo> i want that .106 to be pingable from the internet. .105 is pingable, and ISP routes the .104/29 block to this router. so ISP part seems ok
Dec 09 15:05:30 <bencoh> you need a static route on the router
Dec 09 15:05:31 <sicelo> i don't have access to .106 (maybe they have wrong gw set, or something). what i need is to be sure that there's no mistake in the way things are configured in this router
Dec 09 15:05:41 <bencoh> and set that address on one of the computers
Dec 09 15:05:55 <bencoh> (at least that's one way of doing it)
Dec 09 15:06:44 <sicelo> you need a static route on the router .... static route pointing to?
Dec 09 15:21:21 <sicelo> i'm asking because there is a route in the router for the .104/29 network
Dec 09 15:33:57 <bencoh> ah nevermind
Dec 09 15:34:14 <bencoh> I missed the fact that the /29 is routed to the lan
Dec 09 15:34:54 <bencoh> who is .106?
Dec 09 15:36:36 <sicelo> a Fortigate Firewall. i have no access to it. (actually i work for the ISP ... so my jurisdiction stops at the router. client says they can't do GRE tunnels in their firewall because we're blocking stuff. but we're not) :-)
Dec 09 15:37:29 <bencoh> at that point I'd tcpdump on mikrotik and make sure packets from the outside are properly forwarded toward .106
Dec 09 15:37:32 <sicelo> i asked their tech guy to plug in a laptop on that ether3, and set it to have .106. it didn't make a difference (although now i can't be sure if he did it right)
Dec 09 15:38:02 <bencoh> at least something pings
Dec 09 15:39:28 <sicelo> unfortunately he was also in a rush (covid scare in their office), so we couldn't do further tests. what i don't understand is why i can't ping the .106 from within the router if i specify src address to be the 75.54.
Dec 09 15:40:10 <sicelo> i *think* the router should 'see' that the requested address is already routed in local table, so no need to send it to default gw
Dec 09 15:40:44 <sicelo> anyway, i'm trying to be absolutely sure this router is correctly configured
Dec 09 15:42:37 <bencoh> linux has a setting to drop packets with a dst addr not matching the interface address
Dec 09 15:42:50 <bencoh> it might be enabled on your mikrotik
Dec 09 15:43:35 <bencoh> (although I don't know how it would behave on interface with forwarding enabled)
Dec 09 15:45:30 <sicelo> i should think since the Mikrotik is specifically meant to operate as a router, those settings default to the right thing
Dec 09 15:45:42 <sicelo> but yes, thanks for checking
Dec 09 15:46:10 <bencoh> anyway I'd still just tcpdump on mikrotik
Dec 09 15:46:18 <bencoh> and try pinging from the outside
Dec 09 15:46:36 <bencoh> just to make sure packets go out, and that you don't get any answer
Dec 09 15:46:41 <sicelo> i did. let me see if i can share a paste
Dec 09 15:48:57 <sicelo> bencoh: https://paste.debian.net/1222781/
Dec 09 15:50:53 <bencoh> and no answer?
Dec 09 15:50:55 <bencoh> well then ...
Dec 09 15:51:21 <bencoh> looks like the fortigate filters traffic (?)
Dec 09 15:53:10 <sicelo> it does respond when pinged from .105 though
Dec 09 15:53:51 <bencoh> which is why I said it's probably filtering
Dec 09 15:54:03 <sicelo> and ping also didn't work when a laptop was connected instead of firewall (assuming it was configured correctly)
Dec 09 15:54:18 <sicelo> i didn't to a tcpdump at that time though, unfortunately
Dec 09 15:54:41 <sicelo> s/to/do/
Dec 09 15:55:26 <sicelo> i do think the problem is on their side (firewall). just wanted to be sure i'm not the one with bad config to begin with :-)
**** ENDING LOGGING AT Fri Dec 10 02:59:56 2021