Traceroute behind DMZ not working
-
Hi All,
I unfortunately don't seem to be able to get traceroute to work from the servers behind the DMZ. It works on the computers from the LAN port and if I use the Diagnostics/traceroute it works for each interface. Ping also works fine.
So here is what I have :
pfsense 2.6.0
WAN
LAN
DMZ
Bridge0 (WAN, DMZ) Public IPs on servers WAN is part of subnetFirewall/ Rules
WAN
IPv4 pass ICMP any
IPv4 pass TCP/UDP 53 DNS
IPv4 pass TCP 80, 81, 443, 21
IPv4 pass TCP/UDP 25, 110, 143, 465, 993, 995, 587
IPv4 pass TCP/UDP 22, 23, 444, 123LAN
Lan Address 80 antilockout
IPv4 pass LAN netDMZ
IPv4 pass ICMP any
IPv4 pass TCP/UDP 53 DNS
IPv4 pass TCP 80, 81, 443, 21
IPv4 pass TCP/UDP 25, 110, 143, 465, 993, 995, 587
IPv4 pass TCP/UDP 22, 23, 444, 123traceroute from behind the DMZ
[0022][bhorne@dilbert:~]$ traceroute www.google.com traceroute to www.google.com (142.250.189.132), 64 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * *
From behind the LAN
C:\Users\BBA_Virtual_Test_001>tracert www.google.com Tracing route to www.google.com [142.250.64.164] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 192.168.1.1 2 <1 ms <1 ms <1 ms xxx.xxx.xxx.81 <-gateway 3 2 ms 1 ms 1 ms 199.26.78.13 4 4 ms 4 ms 4 ms 208.67.164.196 5 4 ms 4 ms 4 ms 208.67.164.180 6 4 ms 4 ms 4 ms 170.55.61.77 7 5 ms 5 ms 5 ms 108.170.253.17 8 6 ms 6 ms 5 ms 209.85.244.153 9 5 ms 5 ms 5 ms mia09s22-in-f4.1e100.net [142.250.64.164] Trace complete.
I have even tried to ping the gateway just up from the firewall and if I am trying from a server behind the DMZ it does not succeed.
How do I fix this issue? Thanks in advance.
-
Linux default uses UDP for traceroute, have you permitted the UDP range ??.
Win uses ICMP.You can switch linux traceroute to use ICMP by the -I flag
traceroute -I www.google.com
/Bingo
-
-
@understudy
It's the same. All UNIX-alike systems uses UDP by default. Destination port range is 33434 to 33534. -
That worked thank you. I was going to try and show it but my reply containing the traceroute was flagged as spam. Interesting. Thank you again for your help.