[ previous ] [ next ] [ threads ]
 
 From:  "Rennhard Marc (rema)" <rema at zhaw dot ch>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Strange traceroute behaviour
 Date:  Sat, 28 Jan 2012 15:40:58 +0000 
Dear all

(I've seen some earlier posts about problems with doing a traceroute through m0n0wall, but couldn't
find a solution.)

I'm having problems when using traceroute from my internal network to host in the Internet. My
setting of the m0n0wall box (v 1.32) is as follows:

LAN: 10.0.0.0/24
DMZ: 10.0.1.0/24
WAN : 10.0.10.0/24

The next hop after the m0n0wall box towards the Internet is the router I got from the ISP, it has IP
address 10.0.10.1. Both the m0n0wall and that router perform NAT.

I'm using traceroute with the -I option (using ICMP) as UDP does not appear to work at all (I get
only an answer from the m0n0wall box in that case).

When doing a traceroute to a host in the DMZ, it works well:

$ traceroute -I 10.0.1.2
traceroute to 10.0.1.2 (10.0.1.2), 64 hops max, 72 byte packets
1  10.0.0.1 (10.0.0.1)  1.840 ms  0.327 ms  0.402 ms
2  10.0.1.2 (10.0.1.2)  0.401 ms  0.355 ms  0.328 ms

When doing a traceroute to the ISP router, it also works:

$ traceroute -I 10.0.10.1
traceroute to 10.0.10.1 (10.0.10.1), 64 hops max, 72 byte packets
1  10.0.0.1 (10.0.0.1)  0.504 ms  0.244 ms  0.249 ms
2  10.0.10.1 (10.0.10.1)  1.138 ms  0.700 ms  0.738 ms

However, when doing a traceroute to any host in the Internet, I get the following:

$ traceroute -I www.google.com
traceroute to www.l.google.com (173.194.69.105), 64 hops max, 72 byte packets
 1  10.0.0.1 (10.0.0.1)  0.505 ms  0.245 ms  0.346 ms
 2  * * *
etc.

That seems strange: why isn't the ISP router recognized any longer in this case as it was in the
case above? I'd expect that box to be recognized by traceroute.

Doing a traceroute from the m0nowall Diagnostics works (some IP addresses omitted for privacy
reasons):

traceroute to www.l.google.com (173.194.35.52), 18 hops max, 40 byte packets
1  10.0.10.1  0.640 ms  0.579 ms  0.534 ms
2  u.v.x.z  24.586 ms  24.456 ms  25.431 ms
3  u.v.x.z  29.766 ms  30.716 ms  31.769 ms
...
12  173.194.35.52  41.286 ms  41.245 ms  40.634 ms

m0n0wall is configured to not block anything from the LAN towards the WAN, so I really don't
understand why this doesn't work - especially as doing the traceroute from the Diagnostics works
perfectly (I therefore exclude the ISP router to be the problem) and doing the traceroute to the ISP
router also shows that traceroute apparently "gets through" the m0n0wall box.The only difference
when doing the scan from the internal network is that NAT is performed twice, but I cannot see how
this can be the problem.

I'm grateful for any help!

Yours
Marc