PfSense does not show itself on traceroute
-
Hi.
I've got a routing problem on my work's network and I'm trying to diagnose it using the traceroute command on my Linux workstation.
Here, for example, is the route to Google Public DNS ( 8.8.8.8 ):
# traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 187.86.158.121 (187.86.158.121) 0.506 ms 0.570 ms 0.623 ms 4 172.21.1.133 (172.21.1.133) 2.102 ms 2.087 ms 2.090 ms 5 172.22.100.137 (172.22.100.137) 2.086 ms 2.082 ms 2.075 ms 6 172.22.100.121 (172.22.100.121) 2.071 ms 1.573 ms 1.539 ms 7 ip-187-86-128-93.vetorialnet.com.br (187.86.128.93) 1.451 ms 1.231 ms 1.289 ms 8 177-101-203-189.static.stech.net.br (177.101.203.189) 7.230 ms 7.273 ms 7.433 ms 9 xgborder-rs-pae-01-xe-0-0-0.3300.stech.net.br (200.152.253.252) 7.471 ms 7.534 ms 7.580 ms 10 * * * 11 108.170.245.129 (108.170.245.129) 28.363 ms 108.170.245.161 (108.170.245.161) 28.375 ms 28.358 ms 12 216.239.56.47 (216.239.56.47) 28.018 ms 216.239.56.59 (216.239.56.59) 28.026 ms 66.249.94.223 (66.249.94.223) 28.138 ms 13 google-public-dns-a.google.com (8.8.8.8) 27.591 ms 27.536 ms 27.729 msI suppose 1 is my router (an HP 5510 level 2/3 switch) and 2 is my firewall (a pfSense virtual machine inside a Xen hypervisor). 3 for sure is my ISP's gateway.
That route is correct, but I don't know why 1 and 2 aren't showing themselves on the route.
Regarding my router, googling I found that Cisco routers don't answer traceroute by default, and that should be enabled using ACLs. I'm going to investigate if that is the same for HP routers.
Could you please help me with pfSense?
Thank you in advance!
-
What are your firewall rules?
Do you allow ICMP? -
What are your firewall rules?
Do you allow ICMP?I've added rules on both WAN and LAN interfaces to pass IPv4 ICMP any, from any source to any destination, but nothing changed.
I think that since those rules are on top, they should be processed first and ICMP packages should be allowed.
Are all my rules really needed? I would need to ask my boss permission to post them here. Probably I could send you in private.
-
I solved the HP part, running the following on the switch CLI:
****************************************************************************** * Copyright (c) 2010-2016 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** <hp>system-view System View: return to User View with Ctrl+Z. [HP]ip ttl-expires enable [HP]ip unreachables enable [HP]</hp>Reference: https://community.hpe.com/t5/Switches-Hubs-and-Modems/Troubles-with-traceroute-in-Switch-HP-5500g/td-p/5880679
Now, tracing the route to Google Public DNS ( 8.8.8.8 ) my router appears:
# traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 10.100.132.1 (10.100.132.1) 0.551 ms 0.773 ms 0.940 ms 2 * * * 3 187.86.158.121 (187.86.158.121) 6.439 ms 6.440 ms 6.437 ms 4 172.21.1.133 (172.21.1.133) 7.674 ms 7.676 ms 7.672 ms 5 172.22.100.137 (172.22.100.137) 7.667 ms 7.663 ms 7.659 ms 6 172.22.100.121 (172.22.100.121) 7.654 ms 2.738 ms 2.578 ms 7 ip-187-86-128-93.vetorialnet.com.br (187.86.128.93) 2.638 ms 2.641 ms 3.039 ms 8 177-101-203-189.static.stech.net.br (177.101.203.189) 8.913 ms 9.578 ms 10.419 ms 9 xgborder-rs-pae-01-xe-0-0-0.3300.stech.net.br (200.152.253.252) 11.026 ms 11.136 ms 11.506 ms 10 * * * 11 108.170.245.161 (108.170.245.161) 37.144 ms 108.170.245.129 (108.170.245.129) 36.718 ms * 12 209.85.242.119 (209.85.242.119) 36.232 ms * 72.14.238.221 (72.14.238.221) 36.333 ms 13 google-public-dns-a.google.com (8.8.8.8) 55.787 ms 55.838 ms 55.688 msMaybe there is something like ttl-expires and/or unreachables for pfSense?
