No SYN/ACK answer from server

Question

At first I describe my LAN organization. I have 2 Networks (scheme http://take.ms/s3CSy):

192.168.0.0 / 255.255.255.0, router ASUS RT-N65U with internal IP 192.168.0.1, static external IP without NAT: 1.2.3.4. Router running VPN PPTP server, VPN LAN IP range 172.16.0.0/255.255.255.0, VPN Server IP 172.16.0.1, MTU/MRU 1300. My laptop (laptop #1) in this network now.
192.168.2.0 / 255.255.255.0, router ZyXEL Keenetic 4G with internal IP 192.168.2.1, dynamic external IP with NAT: 10.0.0.1. All clients connected to switch Cisco sg200-26p.

In second LAN I have a web-server with Debian Linux and PPTP VPN client installed. PPTP client connected to router in first LAN and obtain IP 172.16.0.11. Immediately after connecting pptp client add two routes:

ip route add 172.16.0.0/24 dev ppp0
ip route add 192.168.0.0/24 dev ppp0

So route table on VPN client (Web-server):

root@system:~# ip route
default via 192.168.2.1 dev eth0 
1.2.3.4 via 192.168.2.1 dev eth0  src 192.168.2.3 
172.16.0.0/24 dev ppp0  scope link 
172.16.0.1 dev ppp0  proto kernel  scope link  src 172.16.0.11
192.168.0.0/24 dev ppp0  scope link 
192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.3

On web-server "iptables -L -v -n" shows empty table.

Route table on VPN server (ASUS RT-N65U router):

/home/root # ip route
default via 2.3.4.5 dev ppp0 
2.3.4.5 dev ppp0  proto kernel  scope link  src 1.2.3.4 
127.0.0.0/8 dev lo  scope link 
172.16.0.12 dev ppp10  proto kernel  scope link  src 172.16.0.1 
192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.1 
192.168.2.0/24 dev ppp10  scope link

On router ASUS RT-N65U I also have DynDNS activated, domain home.example.com; and 2 port forwarding settings:

1. Synology NAS web remote access: Remote port 6667, local IP: 192.168.0.2, local port 5000, Protocol BOTH (TCP & UDP)
2. Web server remote access: Remote port 6668, local IP: 192.168.2.3, local port 80, Protocol BOTH (TCP & UDP)

When I try to access to Web server (URL http_//192.168.2.3:80) from My laptop in first LAN - no problem, all works like a charm.

But if I try to access form some another laptop (laptop #2 on scheme) to Web server (URL http_//1.2.3.4:6668) - page not found. If I try to access to Synology - no problem.

I installed tcpdump on web server and captured packets:

Access from Laptop in first lan, all seems good. PCAP file https_//www.dropbox.com/s/pvg5rd4rw5omz9z/fromlan.pcap?dl=0 (replace _ with :)
Access from remote host. I see that my web-server receive SYN packets, but doesn't send ACK packets back to client. PCAP file https_//www.dropbox.com/s/hxfxudtrre12i7s/fromremote.pcap?dl=0 (replace _ with :)

On web-server installed iptstate, that shows connection from remote server:

Source                      Destination                Prt State         TTL
199.58.86.207:58540         192.168.2.3:80             tcp SYN_RECV      0:00:59

Where is the problem?

Maybe here is route problem, packets from remote server coming by VPN connection route, but outgoing by default (through 192.168.2.1) route?

Aydar · Accepted Answer · 2015-01-12T05:37:15.783

2

Problem was in a route on web-server:

For testing added route to 199.58.86.0/24 through ppp0 interface and page opened successfully.

edited Jan 12 '15 at 05:37

answered Jan 11 '15 at 19:19

Aydar

41
7

No SYN/ACK answer from server

1 Answers1