Overriding outgoing TTL
-
I have a device in my LAN I'd like to connect to through a NAT/port forward, but it sets outgoing TTL=3, ostensibly to prevent this. After some digging I found I could get it to work by manually editing a line in /etc/inc/filter.inc as follows, assuming scrubbing is not disabled:
if (!isset($config['system']['disablescrub'])) { $scrubrules .= "scrub on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n"; // reassemble all directionsEdit to
if (!isset($config['system']['disablescrub'])) { $scrubrules .= "scrub on \${$scrubcfg['descr']} all min-ttl 64 {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n"; // reassemble all directionsIs there a better way to do this? Will this get overwritten on the next upgrade? The only other thread I could find on this is from 2006.
-
No, because adjusting the TTL is generally frowned upon.
Use a VPN and not NAT/port forward and you'll have better security and less hops, it shouldn't take any hacking.
Or perhaps a reverse proxy like HAproxy if it's TCP and it absolutely must be available publicly.
-
It is TCP and I think HAproxy will work well for this, thanks. I was trying to avoid the network overhead associated with IPsec.
For my education, why is "hacking" TTL not advised? Unintended ill network effects?
-
TTL is reduced by one for each hop to prevent looping. Eventually the TTL drops to nothing and the packet is dropped. By increasing the TTL you open the possibility of a potential loop that could never stop.
