As it can be seen on /var/log/ulogd/syslog.log:
ncredir4001 ulogd[967151]: [fw-in-drop] IN=ens13 OUT= MAC=aa:00:00:39:c6:fc:84:16:0c:df:11:70:86:dd SRC=100::fd1f:0 DST=2620:0:863:101:10:128:0:32 LEN=108 TC=0 HOPLIMIT=54 FLOWLBL=0 PROTO=41 MARK=0x0 ncredir4001 ulogd[967151]: [fw-in-drop] IN=ens13 OUT= MAC=aa:00:00:39:c6:fc:84:16:0c:df:11:70:08:00 SRC=172.16.224.11 DST=10.128.0.32 LEN=60 TOS=00 PREC=0x00 TTL=56 ID=0 DF PROTO=4 MARK=0x0
host firewall was stopping ncredir from being able to serve traffic inbound via IPIP/IP6IP6 tunnels.
Due to ipip-multiqueue-optimizer, the source address on IPv4 is going to be 172.16/10 and 0100::/64 for IPv6:
// RFC1918: we are going to use 172.16/10 as our src (4268 is 172.16 in BE) // for ipip header #define IPIP_V4_PREFIX 4268 // RFC 6666: we are going to use 0100::/64 discard prefix as our src // for ip(6)ip6 header #define IPIP_V6_PREFIX1 1 #define IPIP_V6_PREFIX2 0 #define IPIP_V6_PREFIX3 0
on IPIP (IPv4) packets, proto is set to 4 (ipencap) and on IP6IP6 packet is set to 41 (IPv6). unless we inspect the inner headers, source and destination port is 0