Transparent Bridge stops traceroute
-
Hi,
I have a very well working transparent bridge at the moment, the only thing I see is that a traceroute to a host behind it is stopped at the firewall where I get * * * response back.
I have set a * * * * * rule on the WAN side for ICMP and set the packages to ANY.
On the LAN side I have a rule that accepts everything to the outside world, so it can't be that.
What am I forgetting here ?
Matts
-
I think I read in the irc channel that this was an issue of a wrong gateway at the client (if you are the same user from the irc channel), so this issue is solved?
-
I think I read in the irc channel that this was an issue of a wrong gateway at the client (if you are the same user from the irc channel), so this issue is solved?
Hi,
Yes that was me, but this another issue. The other one was DNS related, DNS was not available because of the set gatwayt on the default LAN rule.
This still doesn't work.
Matts
-
You should not be setting the gateway item at all in firewall rules unless you have multiple wans. Leave it as default.
-
You should not be setting the gateway item at all in firewall rules unless you have multiple wans. Leave it as default.
No indeed, but this was a test with another gateway that I have on another Nic, but forget about that issue.
This still happens with how it should be and always was before, like described above.
-
I have a very well working transparent bridge at the moment, the only thing I see is that a traceroute to a host behind it is stopped at the firewall where I get * * * response back.
While pinging the host, can you run a tcpdump on the pfsense box and the host itself? This way you can find out at which point the traffic is not making it through. Is it possible the local host doesn't allow ICMP (as the firewall wouldn't show up in the traceroute as its transparent).
-
I have a very well working transparent bridge at the moment, the only thing I see is that a traceroute to a host behind it is stopped at the firewall where I get * * * response back.
While pinging the host, can you run a tcpdump on the pfsense box and the host itself? This way you can find out at which point the traffic is not making it through. Is it possible the local host doesn't allow ICMP (as the firewall wouldn't show up in the traceroute as its transparent).
The strange thing was that it was working before without the pfsense box. So a tcpdump on the pfsense box might be a good idea to check this issue.
I will let you guys know what I see :)
-
I'm not able to solve the problem by using a TCPdump at the moment.
I know this was working well without the pfsense box, so I have the idea that I have to search fro the problem on this machine.
Does someone has some sugestions how to trace the problem with or without a TCPdump ?
-
I'm not able to solve the problem by using a TCPdump at the moment.
Well, did it highlight anything about where the ICMP packets might be stopping or not making it through?
I know this was working well without the pfsense box, so I have the idea that I have to search fro the problem on this machine.
Does someone has some sugestions how to trace the problem with or without a TCPdump ?
First, can you diagram the network setup for us? Its hard to say where to look when we don't know what the network looks like.
Second, maybe post the actual tcpdumps of you trying to ping the host from the point of view of the wan, lan and the host itself? -
It's a quite simple setup,
router -> transparent birdge -> switch
I think I'm not able to post tcpdumps, I will look for that.
-
I have seen that this only happens on Linux workstations and not on Windows.
Strange issue.
-
I also have the same issue with traceroute or tracepath from Linux workstations. In my configuration I have DMZ with public IP's and a LAN interface for local IP's.
DMZ is open for all connections in/out but also cannot get tracepath or traceroute reply from Linux workstation. From Windows no problem whatsoever. Has anyone found any solution for this problem ? -
From memory Windows and Linux traceroute commands use different protocols by default. Try using the "-I" option with the Linux traceroute to tell it to use ICMP instead of UDP.
