1. Forum
  2. FidoNet
  3. linux.debian.user

  • FirewallD on a Debian router : can't forward any packets

    From Nicolas Kovacs@3:633/10 to All on Wednesday, January 28, 2026 16:40:01
    Hi,

    I'm currently replacing Rocky Linux 8 on a routerboard in my office by
    Debian 13, and I have some trouble getting packet forwarding working
    with FirewallD.

    Side note 1: to keep things simple, I'm working directly as root in the examples below.

    Side note 2: Yes, I want to use FirewallD. No, I don't want to use $OTHER_FIREWALL.


    Configuration
    -------------

    The routerboard has two NICs, enp1s0 (192.168.2.251) and enp2s0
    (192.168.3.1).

    I have setup a sandbox PC with a static 192.168.3.10 address and using 192.168.3.1 as gateway just to test packet forwarding.


    Old setup under Rocky Linux 8
    -----------------------------

    Here's how the default setup looked like under Rocky Linux 8:

    # firewall-cmd --list-all
    public (active)
    target: default
    icmp-block-inversion: no
    interfaces: enp1s0 enp2s0
    sources:
    services: cockpit dhcpv6-client ssh
    ports:
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    I associated the enp1s0 interface with the external zone:

    # firewall-cmd --permanent --zone=external --change-interface=enp1s0
    The interface is under control of NetworkManager, setting zone to
    'external'.
    success
    # firewall-cmd --reload
    success
    # firewall-cmd --list-all --zone=external
    external (active)
    target: default
    icmp-block-inversion: no
    interfaces: enp1s0
    sources:
    services: ssh
    ports:
    protocols:
    forward: no
    masquerade: yes
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    And then I associated the enp2s0 interface with the internal zone and
    declared it as default:

    # firewall-cmd --permanent --zone=internal --change-interface=enp2s0
    The interface is under control of NetworkManager, setting zone to
    'internal'.
    success
    # firewall-cmd --set-default-zone=internal
    success
    # firewall-cmd --reload
    success
    # firewall-cmd --list-all
    internal (active)
    target: default
    icmp-block-inversion: no
    interfaces: enp2s0
    sources:
    services: cockpit dhcpv6-client mdns samba-client ssh
    ports:
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    And that was all I had to do. Starting from there I could open a session
    on my 192.168.3.10 sandbox host and successfully ping 192.168.3.1 as
    well as 192.168.2.1. IP forwarding worked out of the box.


    New setup under Debian 13
    -------------------------

    I wanted to use this same setup under Debian 13. So first I installed FirewallD:

    # apt update && apt install -y firewalld

    The service gets started automatically, no need to take care of that.

    In Debian's default configuration, the external zone is not associated
    to anything:

    # firewall-cmd --list-all --zone=external
    external
    target: default
    ingress-priority: 0
    egress-priority: 0
    icmp-block-inversion: no
    interfaces:
    sources:
    services: ssh
    ports:
    protocols:
    forward: yes
    masquerade: yes
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    So I'll associate the enp1s0 interface to that zone:

    # firewall-cmd --permanent --zone=external --change-interface=enp1s0
    success
    # firewall-cmd --reload
    success
    # firewall-cmd --list-all --zone=external
    external (active)
    target: default
    ingress-priority: 0
    egress-priority: 0
    icmp-block-inversion: no
    interfaces: enp1s0
    sources:
    services: ssh
    ports:
    protocols:
    forward: yes
    masquerade: yes
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    Conversely, I'll associate the enp2s0 interface to the internal zone and
    set it as default like I did on my old setup:

    # firewall-cmd --permanent --zone=internal --change-interface=enp2s0
    success
    # firewall-cmd --set-default-zone=internal
    success
    # firewall-cmd --reload
    success
    # firewall-cmd --list-all
    internal (default, active)
    target: default
    ingress-priority: 0
    egress-priority: 0
    icmp-block-inversion: no
    interfaces: enp2s0
    sources:
    services: dhcpv6-client mdns samba-client ssh
    ports:
    protocols:
    forward: yes
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    I open a session on my sandbox client with a static 192.168.3.10 IP
    address and 192.168.3.1 defined as the gateway. I can ping my
    routerboard OK:

    $ ping -c 1 -q 192.168.3.1
    PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.

    --- 192.168.3.1 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.387/0.387/0.387/0.000 ms

    Unfortunately I can't ping anything on the outside:

    $ ping 192.168.2.1
    PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
    From 192.168.3.1 icmp_seq=1 Packet filtered
    From 192.168.3.1 icmp_seq=2 Packet filtered
    From 192.168.3.1 icmp_seq=3 Packet filtered
    From 192.168.3.1 icmp_seq=4 Packet filtered
    ^C
    --- 192.168.2.1 ping statistics ---
    4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3069ms

    Any suggestions ?

    Cheers from the sunny South of France,

    Niki

    --
    Microlinux - Solutions informatiques durables
    7, place de l'‚glise - 30730 Montpezat
    Site : https://www.microlinux.fr
    Blog : https://www.microlinux.fr/blog
    Mail : info@microlinux.fr
    T‚l. : 04 66 63 10 32
    Mob. : 06 51 80 12 12

    --- PyGate Linux v1.5.6
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From basti@3:633/10 to All on Wednesday, January 28, 2026 18:10:01
    Hello,

    i don't know firewalld, but keep in mind that debian 13 will use nftables.

    Best regards

    Am 28.01.26 um 16:36 schrieb Nicolas Kovacs:
    Hi,

    I'm currently replacing Rocky Linux 8 on a routerboard in my office by Debian 13, and I have some trouble getting packet forwarding working
    with FirewallD.

    Side note 1: to keep things simple, I'm working directly as root in the examples below.

    Side note 2: Yes, I want to use FirewallD. No, I don't want to use $OTHER_FIREWALL.


    Configuration
    -------------

    The routerboard has two NICs, enp1s0 (192.168.2.251) and enp2s0 (192.168.3.1).

    I have setup a sandbox PC with a static 192.168.3.10 address and using 192.168.3.1 as gateway just to test packet forwarding.


    Old setup under Rocky Linux 8
    -----------------------------

    Here's how the default setup looked like under Rocky Linux 8:

    # firewall-cmd --list-all
    public (active)
    ˙ target: default
    ˙ icmp-block-inversion: no
    ˙ interfaces: enp1s0 enp2s0
    ˙ sources:
    ˙ services: cockpit dhcpv6-client ssh
    ˙ ports:
    ˙ protocols:
    ˙ forward: no
    ˙ masquerade: no
    ˙ forward-ports:
    ˙ source-ports:
    ˙ icmp-blocks:
    ˙ rich rules:

    I associated the enp1s0 interface with the external zone:

    # firewall-cmd --permanent --zone=external --change-interface=enp1s0
    The interface is under control of NetworkManager, setting zone to 'external'.
    success
    # firewall-cmd --reload
    success
    # firewall-cmd --list-all --zone=external
    external (active)
    ˙ target: default
    ˙ icmp-block-inversion: no
    ˙ interfaces: enp1s0
    ˙ sources:
    ˙ services: ssh
    ˙ ports:
    ˙ protocols:
    ˙ forward: no
    ˙ masquerade: yes
    ˙ forward-ports:
    ˙ source-ports:
    ˙ icmp-blocks:
    ˙ rich rules:

    And then I associated the enp2s0 interface with the internal zone and declared it as default:

    # firewall-cmd --permanent --zone=internal --change-interface=enp2s0
    The interface is under control of NetworkManager, setting zone to 'internal'.
    success
    # firewall-cmd --set-default-zone=internal
    success
    # firewall-cmd --reload
    success
    # firewall-cmd --list-all
    internal (active)
    ˙ target: default
    ˙ icmp-block-inversion: no
    ˙ interfaces: enp2s0
    ˙ sources:
    ˙ services: cockpit dhcpv6-client mdns samba-client ssh
    ˙ ports:
    ˙ protocols:
    ˙ forward: no
    ˙ masquerade: no
    ˙ forward-ports:
    ˙ source-ports:
    ˙ icmp-blocks:
    ˙ rich rules:

    And that was all I had to do. Starting from there I could open a session
    on my 192.168.3.10 sandbox host and successfully ping 192.168.3.1 as
    well as 192.168.2.1. IP forwarding worked out of the box.


    New setup under Debian 13
    -------------------------

    I wanted to use this same setup under Debian 13. So first I installed FirewallD:

    # apt update && apt install -y firewalld

    The service gets started automatically, no need to take care of that.

    In Debian's default configuration, the external zone is not associated
    to anything:

    # firewall-cmd --list-all --zone=external
    external
    ˙ target: default
    ˙ ingress-priority: 0
    ˙ egress-priority: 0
    ˙ icmp-block-inversion: no
    ˙ interfaces:
    ˙ sources:
    ˙ services: ssh
    ˙ ports:
    ˙ protocols:
    ˙ forward: yes
    ˙ masquerade: yes
    ˙ forward-ports:
    ˙ source-ports:
    ˙ icmp-blocks:
    ˙ rich rules:

    So I'll associate the enp1s0 interface to that zone:

    # firewall-cmd --permanent --zone=external --change-interface=enp1s0
    success
    # firewall-cmd --reload
    success
    # firewall-cmd --list-all --zone=external
    external (active)
    ˙ target: default
    ˙ ingress-priority: 0
    ˙ egress-priority: 0
    ˙ icmp-block-inversion: no
    ˙ interfaces: enp1s0
    ˙ sources:
    ˙ services: ssh
    ˙ ports:
    ˙ protocols:
    ˙ forward: yes
    ˙ masquerade: yes
    ˙ forward-ports:
    ˙ source-ports:
    ˙ icmp-blocks:
    ˙ rich rules:

    Conversely, I'll associate the enp2s0 interface to the internal zone and
    set it as default like I did on my old setup:

    # firewall-cmd --permanent --zone=internal --change-interface=enp2s0
    success
    # firewall-cmd --set-default-zone=internal
    success
    # firewall-cmd --reload
    success
    # firewall-cmd --list-all
    internal (default, active)
    ˙ target: default
    ˙ ingress-priority: 0
    ˙ egress-priority: 0
    ˙ icmp-block-inversion: no
    ˙ interfaces: enp2s0
    ˙ sources:
    ˙ services: dhcpv6-client mdns samba-client ssh
    ˙ ports:
    ˙ protocols:
    ˙ forward: yes
    ˙ masquerade: no
    ˙ forward-ports:
    ˙ source-ports:
    ˙ icmp-blocks:
    ˙ rich rules:

    I open a session on my sandbox client with a static 192.168.3.10 IP
    address and 192.168.3.1 defined as the gateway. I can ping my
    routerboard OK:

    $ ping -c 1 -q 192.168.3.1
    PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.

    --- 192.168.3.1 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.387/0.387/0.387/0.000 ms

    Unfortunately I can't ping anything on the outside:

    $ ping 192.168.2.1
    PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
    From 192.168.3.1 icmp_seq=1 Packet filtered
    From 192.168.3.1 icmp_seq=2 Packet filtered
    From 192.168.3.1 icmp_seq=3 Packet filtered
    From 192.168.3.1 icmp_seq=4 Packet filtered
    ^C
    --- 192.168.2.1 ping statistics ---
    4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3069ms

    Any suggestions ?

    Cheers from the sunny South of France,

    Niki


    --- PyGate Linux v1.5.6
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Nicolas Kovacs@3:633/10 to All on Wednesday, January 28, 2026 18:30:01
    Le 28/01/2026 … 17:42, basti a ‚crit˙:
    i don't know firewalld, but keep in mind that debian 13 will use nftables.

    FirewallD is a frontend to nftables under Debian 13 (like ufw).

    --
    Microlinux - Solutions informatiques durables
    7, place de l'‚glise - 30730 Montpezat
    Site : https://www.microlinux.fr
    Blog : https://www.microlinux.fr/blog
    Mail : info@microlinux.fr
    T‚l. : 04 66 63 10 32
    Mob. : 06 51 80 12 12

    --- PyGate Linux v1.5.6
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Joe@3:633/10 to All on Wednesday, January 28, 2026 20:00:01
    On Wed, 28 Jan 2026 16:36:28 +0100
    Nicolas Kovacs <info@microlinux.fr> wrote:

    First check what systemd knows about IP forwarding. Either

    # sysctl net.ipv4.ip_forward

    # cat /proc/sys/net/ipv4/ip_forward

    will return 0 for disabled, 1 for enabled.

    If you get a 0 return, try

    # echo 1 > /proc/sys/net/ipv4/ip_forward

    and see if forwarding is now working. If so there is a line in /etc/sysctl.conf: net.ipv4.ip_forward = n which may be either zero or
    commented out, set it to 1.

    There is also a .d directory alternative (better) where you may create
    this line in a numbered file, and maybe need to create the directory
    first. It's easiest to check that it works first as a line in
    sysctl.conf.

    Debian and I think other distributions disable forwarding by default
    i.e. it must be user-enabled. I don't believe any firewall enables it automatically. There are many places where it may be set during boot, in
    a script, so best check first whether it is already enabled and the
    problem is somewhere else.

    --
    Joe

    --- PyGate Linux v1.5.6
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From tomas@3:633/10 to All on Wednesday, January 28, 2026 20:10:02
    On Wed, Jan 28, 2026 at 04:36:28PM +0100, Nicolas Kovacs wrote:
    Hi,

    I'm currently replacing Rocky Linux 8 on a routerboard in my office by
    Debian 13, and I have some trouble getting packet forwarding working with FirewallD.

    Side note 1: to keep things simple, I'm working directly as root in the examples below.
    No idea about firewalld, so take this with a grain of salt. What
    sticks out for me is:
    [...]
    Old setup under Rocky Linux 8
    -----------------------------
    [...]
    external (active)
    [...]
    forward: no
    masquerade: yes
    [...]
    internal (active)
    [...]
    forward: no
    masquerade: no
    [...]
    New setup under Debian 13
    -------------------------
    [...]
    external (active)
    [...]
    forward: yes
    masquerade: yes
    [...]
    internal (default, active)
    [...]
    forward: yes
    masquerade: no
    [...]
    I.e. in your old setup you have "forward: no" on both interfaces, in the
    new it's "forward: yes" on both. Masquerade values are equal on both
    setups (i.e. "yes" on the external). IIUC you don't want forwarding,
    just masquerading in the external interface, since the internal network
    is an NAT.
    But, as I said, grain of salt and all that :-)
    Cheers
    --
    tom s


    --- PyGate Linux v1.5.6
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From basti@3:633/10 to All on Wednesday, January 28, 2026 20:10:02
    /etc/sysctl.conf is not used anymore.
    Use /etc/sysctl.d directory.

    It was discussed here a few days ago, see
    man sysctl.conf(5)

    Am 28.01.26 um 19:52 schrieb Joe:
    On Wed, 28 Jan 2026 16:36:28 +0100
    Nicolas Kovacs <info@microlinux.fr> wrote:

    First check what systemd knows about IP forwarding. Either

    # sysctl net.ipv4.ip_forward

    # cat /proc/sys/net/ipv4/ip_forward

    will return 0 for disabled, 1 for enabled.

    If you get a 0 return, try

    # echo 1 > /proc/sys/net/ipv4/ip_forward

    and see if forwarding is now working. If so there is a line in /etc/sysctl.conf: net.ipv4.ip_forward = n which may be either zero or commented out, set it to 1.

    There is also a .d directory alternative (better) where you may create
    this line in a numbered file, and maybe need to create the directory
    first. It's easiest to check that it works first as a line in
    sysctl.conf.

    Debian and I think other distributions disable forwarding by default
    i.e. it must be user-enabled. I don't believe any firewall enables it automatically. There are many places where it may be set during boot, in
    a script, so best check first whether it is already enabled and the
    problem is somewhere else.


    --- PyGate Linux v1.5.6
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Nicolas Kovacs@3:633/10 to All on Friday, January 30, 2026 12:50:02
    Le 28/01/2026 … 19:52, Joe a ‚crit˙:
    First check what systemd knows about IP forwarding. Either

    # sysctl net.ipv4.ip_forward

    Hi everybody,

    I found the answer. It's more complicated, but here's the detail:

    https://www.microlinux.fr/blog/debian-13-firewalld/#configurer-le-relais-des-paquets

    Cheers,

    Niki

    --
    Microlinux - Solutions informatiques durables
    7, place de l'‚glise - 30730 Montpezat
    Site : https://www.microlinux.fr
    Blog : https://www.microlinux.fr/blog
    Mail : info@microlinux.fr
    T‚l. : 04 66 63 10 32
    Mob. : 06 51 80 12 12

    --- PyGate Linux v1.5.8
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)