[dgbaley27]

Hey. I'm using an rpi2 as an OpenVPN bridge, so I have ip_forwarding enabled and a MASQUERADE target for packets leaving the tun interface. I have an entry in /etc/sysctl.d, rules in /etc/iptables/iptables.rules, and iptables.service enabled which calls iptables-restore.

I found this old thread which may be related. At first glance, on my system, ip_forwarding isn't working. Eventually I realized it stops working after iptables rules are reloaded.

A fix is simply to disable (write 0 to ip_forward) and then re-enable (write 1). I haven't encountered this issue on any other system, so I don't know if it's a race condition that I'm only seeing now on the pi, or there's something specific to this system.

[dgbaley27]

Turns out to be a systemd change that's "under documented". IPForward=yes is required in *.network files now.

[Geoff]

Thank you for this. It was driving me crazy a couple of weeks ago, as I too was using my cubox as a vpn/wifi/ethernet router and it stopped routing.

[dgbaley27]

No problem. I'll add here for completeness that the ip_forward sysctl setting is not needed in addition to the per-device settings; AFAIK it's equivalent to setting conf/all/forwarding and conf/default/forwarding to on. But now netword is setting conf/<DEV>/forwarding individually.