• May 01, 2024, 01:09:30 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Another traceroute issue [SOLVED]  (Read 5684 times)

iverona

  • Level 1 Member
  • *
  • Posts: 4
Another traceroute issue [SOLVED]
« on: June 27, 2012, 08:18:14 AM »
Hi all!!

This is my first message to the forum, so I first want to say thanks for all the valuable information found here :-)

And now, regarding my question, I'm not able to make traceroute work with my DFL, and I think it's related to the rules. My scenario is the following:

<internet> <-----> <DFL800> <-----> <VLAN>

Traffic to the outside is working as I've the NAT rule. Web browsing and ping to the outside works.

But when it comes to traceroute/tracert it does not work. I've the following:

  • System->Advanced->IP Settings->TTL Min set to 0
  • System->Advanced->IP Settings->TTL on Low set to Log

Then, as I've been testing lots of things, I've a new folder with ICMP rules a top of the rule-list with the following contents (vlanSala is the name of one of my vlan interfaces):

Quote
1  NAT   vlanSala:192.168.4.0/24 wan1,wan2:0.0.0.0/0    "ping-outbound"
2  Allow vlanSala:192.168.4.0/24 core:0.0.0.0/0         "all_icmp"


But trace does not work and I can not realize what's wrong... I know is a common issue, but looking through the forums I didn't found the answer, so, thanks in advance!
« Last Edit: June 28, 2012, 01:46:53 AM by iverona »
Logged

chechito

  • Level 3 Member
  • ***
  • Posts: 193
Re: Another traceroute issue
« Reply #1 on: June 27, 2012, 06:51:12 PM »
using all-icmp on the rules intended to allow tracerouting its important

i have ttl min on 1 and works ok

its important to have created a rule like this

allow - from source network - source interface - to ip address of firewall on respective interface - interface -allicmp

and

a rule to allow o nat the all-icmp traffic in the desired direction

that will solve the problem

i allways create this kind of rule independently for every interface and/or source by example:

to lan interface from lan hosts

to incoming traffic on wan interfaces (if needed9

to incomming traffic from vpn tunnels
Logged

iverona

  • Level 1 Member
  • *
  • Posts: 4
Re: Another traceroute issue
« Reply #2 on: June 28, 2012, 12:31:56 AM »
Hi chechito,

thanks for your answer. Don't ask me why, but when I arrived this morning, using the very same rules as yesterday... traceroute is working  ??? The only thing I did is restarting my laptop where I made all the testing.

Just to clarify my self, when does "core" need to be used? For ping to work on local interfaces, as is the DFL the one who has to answer?

Same rules as yesterday are used:

Code: [Select]
1  NAT   vlanSala:192.168.4.0/24 wan1,wan2:0.0.0.0/0    "ping-outbound"
2  Allow vlanSala:192.168.4.0/24 core:0.0.0.0/0         "all_icmp"

Thanks for your reply!! Now I've to start dealing with Traffic Shaping :-)
Logged

chechito

  • Level 3 Member
  • ***
  • Posts: 193
Re: Another traceroute issue
« Reply #3 on: June 28, 2012, 09:39:39 PM »
Quote from: iverona on June 28, 2012, 12:31:56 AM

Just to clarify my self, when does "core" need to be used? For ping to work on local interfaces, as is the DFL the one who has to answer?

Thanks for your reply!! Now I've to start dealing with Traffic Shaping :-)

i think core apply because when tracerouting get a ttl 0 packet on any firewall interface the firewall itself has to answer the query

good luck with traffic shapping
Logged