I have two routers that are connected via Wireguard. Access to the internet via wg works fine, but I would like to access my PI attached to routerS.
From routerS, I can happily ping the locally attached PI (OutputInfo line below). An identical ping from RouterT (FwdInfo line below) is received by routerS and seems ready to FORWARD to the correct OUT=br-lan interface, but instead routerT replies with ICMP TYPE=3 CODE=3 (FailInfo line below)
routerS kernel: [95228.293520] OutputInfo IN= OUT=br-lan SRC=192.168.0.1 DST=192.168.0.80 LEN=978 TOS=0x00 PREC=0x00 TTL=64 ID=28681 DF PROTO=ICMP TYPE=8 CODE=0 ID=29579 SEQ=0 okPingFromRouterS
routerS kernel: [37413.743406] FwdInfo IN=wg0 OUT=br-lan MAC= SRC=192.168.219.246 DST=192.168.0.80 LEN=978 TOS=0x00 PREC=0x00 TTL=63 ID=5115 DF PROTO=ICMP TYPE=8 CODE=0 ID=14595 SEQ=0 failedPingFromRouterT
routerS kernel: [37413.758681] FailInfo IN= OUT=wg0 SRC=192.168.219.247 DST=192.168.219.246 LEN=576 TOS=0x00 PREC=0xC0 TTL=64 ID=21316 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.219.246 DST=192.168.0.80 LEN=978 TOS=0x00 PREC=0x00 TTL=63 ID=5115 DF PROTO=ICMP TYPE=8 CODE=0 ID=14595 SEQ=0 ] FailureResponseMessage
# packet logging from iptables
Routing appears to be straight forward, but clearly I am missing something. There is a separate routing table (200) for packets originating from br-lan, but I think that should not matter here.
root@routerS:~# ip route
default via 192.168.8.1 dev eth0.2 proto static src 192.168.8.84
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
192.168.8.0/24 dev eth0.2 proto kernel scope link src 192.168.8.84
192.168.219.246/31 dev wg0 proto kernel scope link src 192.168.219.247
root@routerS:~# ip rule
0: from all lookup local
1: from all iif br-lan lookup 200
32766: from all lookup main
32767: from all lookup default
root@routerS:~# ip route show table 200
default dev wg0 proto static scope link
Why is the forwarded ping not being forwarded to the PI?
