local adapter ping TTL

ierdelyi

Hello,

Is anybody can tell me why the TTL decreased when I pinging a local adapter in PFSense?
Where is the hop in this traffic? (I try to define the local adapter as source, same)

If I pinging an another host IP, the ttl is normal (-1 hop)
(see pictures)

Thanks,

johnpoz

@ierdelyi that would related to the default ttl. Different OSes or different use cases might use a different default ttl.

The default ttl for freebsd is 64

[22.05-RELEASE][admin@sg4860.local.lan]/root: sysctl net.inet.ip.ttl
net.inet.ip.ttl: 64
[22.05-RELEASE][admin@sg4860.local.lan]/root: 

But where your pinging might have different, and it sends back different ttl in the response

Now look when do it the other way from my windows machine that uses a 128 default ttl

9.100 is my windows machine, and 9.253 is pfsense.

So for example pinging my nas that is on the same network as my pc, its default ttl is like pfsense 64, since its running a linux based OS.

[22.05-RELEASE][admin@sg4860.local.lan]/root: ping 192.168.9.10
PING 192.168.9.10 (192.168.9.10): 56 data bytes
64 bytes from 192.168.9.10: icmp_seq=0 ttl=64 time=0.658 ms
64 bytes from 192.168.9.10: icmp_seq=1 ttl=64 time=0.281 ms
64 bytes from 192.168.9.10: icmp_seq=2 ttl=64 time=0.296 ms

Notice my printer uses a 255, ttl

[22.05-RELEASE][admin@sg4860.local.lan]/root: ping 192.168.2.50
PING 192.168.2.50 (192.168.2.50): 56 data bytes
64 bytes from 192.168.2.50: icmp_seq=0 ttl=255 time=1.355 ms
64 bytes from 192.168.2.50: icmp_seq=1 ttl=255 time=1.294 ms

if I ping it from my pc, where there is a hop, notice its 254

C:\>ping 192.168.2.50

Pinging 192.168.2.50 with 32 bytes of data:
Reply from 192.168.2.50: bytes=32 time=1ms TTL=254
Reply from 192.168.2.50: bytes=32 time=1ms TTL=254
Reply from 192.168.2.50: bytes=32 time=1ms TTL=254

ierdelyi

@johnpoz
Oh, thank you.
Now this is clear! It start from 64.

johnpoz

@ierdelyi glad I could be of help - yeah a ttl would be from the sender of the traffic.. So for example same goes with a tcp connection.. See how windows uses a 128 ttl, and freebsd (pfsense) uses a 64. If I make a tcp connection, the ttl that comes back is what the destination box sends..

Notice here is a iperf connection to pfsense... Notice windows sends 128, but pfsense sends a 64 in the response..

So in the syn, from 9.100 to 9.253 port 5201 the ttl is 128, but in the syn,ack pfsense sends back the ttl is 64

edit: BTW loved this question, well documented on exactly what you were asking about, showing exactly what your question was on, etc. Maybe should be in the off topic general section, but this section works because it is related to something you were seeing on pfsense.. I wish all questions were asked this way with clear and precise details of what is being asked, etc.

JKnott

@johnpoz said in local adapter ping TTL:

See how windows uses a 128 ttl, and freebsd (pfsense) uses a 64. If I make a tcp connection, the ttl that comes back is what the destination box sends..

There is an exception to this. On IPv6, things like Neighbor Advertisements have a 255 hop limit (IPv6 name for TTL). The reason for this is security. These packets are intended for the local LAN only and by using a 255 hop limit, it shows the packet has not passed through a router. So, any of those without 255 hop limit can be discarded as invalid.

johnpoz

@jknott valid point to bring up actually - one of the many things that makes ipv6 more than just a longer IP address ;)

The hop limit of 255 and NDP is kind of like the TTL of 1 with multicast.. which keeps it local.