Desktop box as Wi-Fi router and missing packets on Wi-Fi clients only

My desktop box acts as Wi-Fi router:

  • xl2tpd to connect to internet,
  • hostapd, dhcpd, itpables postrouting masquerade to share.

And this config works fine.

But i tried to zypper refresh from my laptop one day - and found that its not possible(zypper waits for answer for a long time then timeout occurs), while from box its works.
A this point i found

laptop:~ # curl -v download.opensuse.org/repositories/* Adding handle: conn: 0xeb5200
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0xeb5200) send_pipe: 1, recv_pipe: 0
* About to connect() to download.opensuse.org port 80 (#0)
*   Trying 195.135.221.134...
* Connected to download.opensuse.org (195.135.221.134) port 80 (#0)
> GET /repositories/ HTTP/1.1
> User-Agent: curl/7.32.0
> Host: download.opensuse.org
> Accept: */*
> 
^C
box:~ # curl -v download.opensuse.org/repositories/
* Adding handle: conn: 0x1584170
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x1584170) send_pipe: 1, recv_pipe: 0
* About to connect() to download.opensuse.org port 80 (#0)
*   Trying 195.135.221.134...
* Connected to download.opensuse.org (195.135.221.134) port 80 (#0)
> GET /repositories/ HTTP/1.1
> User-Agent: curl/7.32.0
> Host: download.opensuse.org
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 23 May 2014 04:55:57 GMT
* Server Apache/2.2.12 (Linux/SUSE) is not blacklisted
< Server: Apache/2.2.12 (Linux/SUSE)
< X-Prefix: 94.230.224.0/20
< X-AS: 29385
< Transfer-Encoding: chunked
< Content-Type: text/html;charset=ISO-8859-1
< 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
 <head>
  <title>Index of /repositories</title>
  <link rel="stylesheet" href="http://st
...
<img src="/icons/folder.png" alt="[DIR]" /> <a href="./zypp:/">zypp:/</a>                  19-Feb-2014 22:26    -   
<hr /></pre>
<address>Apache/2.2.12 (Linux/SUSE) Server at download.opensuse.org Port 80</address>
<br/><address><a href="http://mirrorbrain.org/">MirrorBrain</a> powered by <a href="http://httpd.apache.org/">Apache</a></address>
</body></html>
* Connection #0 to host download.opensuse.org left intact

OK at this point i thought that its may be firewall and it was disables on both - unfortunately with same result.

After this i’ve captured tcpdump from both(wlp2s0 on laptop, ppp0 on box) and found that first packets of response is missing from both dumps only when Wi-Fi clients(android phones also, not only laptop) tries to get anything from download.opensuse.org while from box its works just fine.

Someone please help me to find and fix this.

PS
download.opensuse.org is the only host i found with this behavior. I think that more hosts can be affected, but i didnt found any.

Dumps from both is available from https://drive.google.com/file/d/0B0ihcf3tcFqVdzVCc19yUDVCT3c/edit?usp=sharing
contains curl and zypper refresh from both.

Ok. Reply to my own topic. First of all - solved.

First time i used my own iptables rules with only one rule to masquerade ppp0. Susefirewal service was disabled.

Now i setted up susefirewall and its just works now. A lot of rules and two additional chains. Also 3 rules to masquerade each interface(dont know what exactly fixes my issue - i will experiment later to find out my first mistake)