[ previous ] [ next ] [ threads ]
 From:  Michael Sierchio <kudzu at tenebras dot com>
 To:  "Rennhard Marc (rema)" <rema at zhaw dot ch>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Strange traceroute behaviour
 Date:  Sat, 28 Jan 2012 09:49:49 -0800
On Sat, Jan 28, 2012 at 7:40 AM, Rennhard Marc (rema) <rema at zhaw dot ch> wrote:

> m0n0wall is configured to not block anything from the LAN towards the WAN, so I really don't
understand why this doesn't work - especially as doing the traceroute from the Diagnostics works
perfectly (I therefore exclude the ISP router to be the problem) and doing the traceroute to the ISP
router also shows that traceroute apparently "gets through" the m0n0wall box.The only difference
when doing the scan from the internal network is that NAT is performed twice, but I cannot see how
this can be the problem.

That is probably the problem.  Do you understand how traceroute works?
 It sends a UDP packet to a (presumably) closed port with a low TTL,
then increases the TTL with each round.  The router receiving a packet
that would expire sends an ICMP TTL-exceeded packet to the originator.
 This ICMP message contains the header and a few bytes of payload from
the original packet, which is how the error message gets routed back
to the traceroute program.  Double NAT can cause this to fail (getting
the ICMP error message to the originating process).

- M