(I've seen some earlier posts about problems with doing a traceroute through m0n0wall, but couldn't
find a solution.)
I'm having problems when using traceroute from my internal network to host in the Internet. My
setting of the m0n0wall box (v 1.32) is as follows:
WAN : 10.0.10.0/24
The next hop after the m0n0wall box towards the Internet is the router I got from the ISP, it has IP
address 10.0.10.1. Both the m0n0wall and that router perform NAT.
I'm using traceroute with the -I option (using ICMP) as UDP does not appear to work at all (I get
only an answer from the m0n0wall box in that case).
When doing a traceroute to a host in the DMZ, it works well:
$ traceroute -I 10.0.1.2
traceroute to 10.0.1.2 (10.0.1.2), 64 hops max, 72 byte packets
1 10.0.0.1 (10.0.0.1) 1.840 ms 0.327 ms 0.402 ms
2 10.0.1.2 (10.0.1.2) 0.401 ms 0.355 ms 0.328 ms
When doing a traceroute to the ISP router, it also works:
$ traceroute -I 10.0.10.1
traceroute to 10.0.10.1 (10.0.10.1), 64 hops max, 72 byte packets
1 10.0.0.1 (10.0.0.1) 0.504 ms 0.244 ms 0.249 ms
2 10.0.10.1 (10.0.10.1) 1.138 ms 0.700 ms 0.738 ms
However, when doing a traceroute to any host in the Internet, I get the following:
$ traceroute -I www.google.com
traceroute to www.l.google.com (184.108.40.206), 64 hops max, 72 byte packets
1 10.0.0.1 (10.0.0.1) 0.505 ms 0.245 ms 0.346 ms
2 * * *
That seems strange: why isn't the ISP router recognized any longer in this case as it was in the
case above? I'd expect that box to be recognized by traceroute.
Doing a traceroute from the m0nowall Diagnostics works (some IP addresses omitted for privacy
traceroute to www.l.google.com (220.127.116.11), 18 hops max, 40 byte packets
1 10.0.10.1 0.640 ms 0.579 ms 0.534 ms
2 u.v.x.z 24.586 ms 24.456 ms 25.431 ms
3 u.v.x.z 29.766 ms 30.716 ms 31.769 ms
12 18.104.22.168 41.286 ms 41.245 ms 40.634 ms
m0n0wall is configured to not block anything from the LAN towards the WAN, so I really don't
understand why this doesn't work - especially as doing the traceroute from the Diagnostics works
perfectly (I therefore exclude the ISP router to be the problem) and doing the traceroute to the ISP
router also shows that traceroute apparently "gets through" the m0n0wall box.The only difference
when doing the scan from the internal network is that NAT is performed twice, but I cannot see how
this can be the problem.
I'm grateful for any help!