I’ve been troubleshooting an unusual VLAN connectivity issue. Specifically, I’m unable to ping both a Linux and a Windows 11 machine located in the default network (192.168.40.0/24) from other VLANs such as Users (10/24), VLAN 20 (20/24), and VPN (2/24). However, these devices are reachable from within the default network itself. And I’m able to connect to every single device across VLANs from within default.
The target machine, 192.168.40.15 (astra), is a Docker server that I would like to make accessible from the mentioned VLANs.
Below is a summary of ping results from the VPN network (192.168.2.2) to various IPs. My primary concern is the inability to reach astra (192.168.40.15), while other devices in the same subnet respond successfully:
IP Address | Status | Source Machine
192.168.20.166 | Failed | No
192.168.40.1 | Success | No
192.168.40.2 | Success | No
192.168.40.3 | Success | No
192.168.40.5 | Failed | No
192.168.40.10 | Success | No
192.168.40.12 | Success | No
192.168.40.15 | Failed | No
192.168.40.20 | Success | No
192.168.40.23 | Success | No
192.168.40.233 | Success | No
192.168.40.30 | Success | No
192.168.54.1 | Success | No
192.168.54.25 | Failed | No
Please find the Unifi firewall rules below incase I’ve missed something obvious. The OS-level firewalls on the target machines are disabled.
If you can reach some IP’s from the VPN but not others and you don’t have any specific IP’s in the rules, its not the firewall. Assuming the firewall on the host you are trying to reach is disable the two common issues is that stop routing from working is overlapping networks that might exist on those hosts or not having the gateway setup on the host you can no reach which means it would not know where to return the traffic. If that host can get out to the internet then that’s not the issue. Also do you have any policy routing on the UniFi for those hosts that can not be reached?
You nailed the issue with the overlapping network ranges, and Docker is indeed the culprit.
Here’s how I temporarily resolved it: From my VPN, I SSH’d into 192.168.40.2, then from there to 192.168.40.15 (the machine I couldn’t reach directly from the VPN). I couldn’t ping the VPN device at 192.168.2.2 due to a conflicting Docker network, as you pointed out. The routing table confirmed this overlap. By adding a static route with sudo ip route add 192.168.2.0/24 via 192.168.40.1 dev eno1, I can now ping 192.168.2.2 successfully.
Next, I need to figure out how to reconfigure Docker to avoid using IP ranges that overlap with my home network. Thank you so much for the help!
❯ ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data.
From 192.168.0.1 icmp_seq=1 Destination Host Unreachable
From 192.168.0.1 icmp_seq=2 Destination Host Unreachable
From 192.168.0.1 icmp_seq=3 Destination Host Unreachable
^C
— 192.168.2.2 ping statistics —
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3084ms
pipe 4
❯ ip r
default via 192.168.40.1 dev eno1 proto dhcp src 192.168.40.15 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-b9c741a5d16e proto kernel scope link src 172.18.0.1 linkdown
172.19.0.0/16 dev br-211b0ffb719e proto kernel scope link src 172.19.0.1
172.20.0.0/16 dev br-6cdaf0002332 proto kernel scope link src 172.20.0.1
172.21.0.0/16 dev br-b60c9a554cb6 proto kernel scope link src 172.21.0.1
172.22.0.0/16 dev br-1e571a8126b1 proto kernel scope link src 172.22.0.1
172.23.0.0/16 dev br-bc4842b18ac4 proto kernel scope link src 172.23.0.1
172.24.0.0/16 dev br-49cabdef17a5 proto kernel scope link src 172.24.0.1
172.25.0.0/16 dev br-613ac5abaf0e proto kernel scope link src 172.25.0.1
172.26.0.0/16 dev br-f570cc4ec2c6 proto kernel scope link src 172.26.0.1
172.27.0.0/16 dev br-6e5eaf3195c8 proto kernel scope link src 172.27.0.1
172.28.0.0/16 dev br-a76e50ac8599 proto kernel scope link src 172.28.0.1
172.29.0.0/16 dev br-e19b4a2bfed2 proto kernel scope link src 172.29.0.1 linkdown
172.30.0.0/16 dev br-a330a087eec6 proto kernel scope link src 172.30.0.1
172.31.0.0/16 dev br-f70f00624722 proto kernel scope link src 172.31.0.1 linkdown
192.168.0.0/20 dev br-b52a427acf16 proto kernel scope link src 192.168.0.1 linkdown
192.168.16.0/20 dev br-9bf2fb61f0ea proto kernel scope link src 192.168.16.1
192.168.20.0/24 via 192.168.40.1 dev eno1
192.168.40.0/21 dev eno1 proto kernel scope link src 192.168.40.15 metric 100
192.168.48.0/20 dev br-a8e137d7106b proto kernel scope link src 192.168.48.1
192.168.80.0/20 dev br-11b664f44f25 proto kernel scope link src 192.168.80.1
192.168.96.0/20 dev br-9dced0f79640 proto kernel scope link src 192.168.96.1
192.168.128.0/20 dev br-2784d20c96fc proto kernel scope link src 192.168.128.1
192.168.144.0/20 dev br-dccfd9d44482 proto kernel scope link src 192.168.144.1
192.168.176.0/20 dev br-c6caea5a1085 proto kernel scope link src 192.168.176.1
192.168.192.0/20 dev br-ab10ecd3890b proto kernel scope link src 192.168.192.1
192.168.208.0/20 dev br-31384cb4ed47 proto kernel scope link src 192.168.208.1
192.168.224.0/20 dev br-c2f5cf0b082c proto kernel scope link src 192.168.224.1 linkdown
192.168.240.0/20 dev br-8b2e8cae59c6 proto kernel scope link src 192.168.240.1
Adding a static route to use unifi gateway
❯ sudo ip route add 192.168.2.0/24 via 192.168.40.1 dev eno1
❯ ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data.
64 bytes from 192.168.2.2: icmp_seq=1 ttl=127 time=27.9 ms
64 bytes from 192.168.2.2: icmp_seq=2 ttl=127 time=11.7 ms
64 bytes from 192.168.2.2: icmp_seq=3 ttl=127 time=17.4 ms
^C
