D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: iverona on June 27, 2012, 08:18:14 AM

Title: Another traceroute issue [SOLVED]
Post by: iverona on June 27, 2012, 08:18:14 AM

Hi all!!

This is my first message to the forum, so I first want to say thanks for all the valuable information found here :-)

And now, regarding my question, I'm not able to make traceroute work with my DFL, and I think it's related to the rules. My scenario is the following:

<internet> <-----> <DFL800> <-----> <VLAN>

Traffic to the outside is working as I've the NAT rule. Web browsing and ping to the outside works.

But when it comes to traceroute/tracert it does not work. I've the following:

• System->Advanced->IP Settings->TTL Min set to 0
• System->Advanced->IP Settings->TTL on Low set to Log

Then, as I've been testing lots of things, I've a new folder with ICMP rules a top of the rule-list with the following contents (vlanSala is the name of one of my vlan interfaces):

Quote

1  NAT   vlanSala:192.168.4.0/24 wan1,wan2:0.0.0.0/0    "ping-outbound"
2  Allow vlanSala:192.168.4.0/24 core:0.0.0.0/0         "all_icmp"

But trace does not work and I can not realize what's wrong... I know is a common issue, but looking through the forums I didn't found the answer, so, thanks in advance!

Title: Re: Another traceroute issue
Post by: chechito on June 27, 2012, 06:51:12 PM

using all-icmp on the rules intended to allow tracerouting its important

i have ttl min on 1 and works ok

its important to have created a rule like this

allow - from source network - source interface - to ip address of firewall on respective interface - interface -allicmp

and

a rule to allow o nat the all-icmp traffic in the desired direction

that will solve the problem

i allways create this kind of rule independently for every interface and/or source by example:

to lan interface from lan hosts

to incoming traffic on wan interfaces (if needed9

to incomming traffic from vpn tunnels

Title: Re: Another traceroute issue
Post by: iverona on June 28, 2012, 12:31:56 AM

Hi chechito,

thanks for your answer. Don't ask me why, but when I arrived this morning, using the very same rules as yesterday... traceroute is working  ??? The only thing I did is restarting my laptop where I made all the testing.

Just to clarify my self, when does "core" need to be used? For ping to work on local interfaces, as is the DFL the one who has to answer?

Same rules as yesterday are used:

Code: [Select]

1  NAT   vlanSala:192.168.4.0/24 wan1,wan2:0.0.0.0/0    "ping-outbound"
2  Allow vlanSala:192.168.4.0/24 core:0.0.0.0/0         "all_icmp"

Thanks for your reply!! Now I've to start dealing with Traffic Shaping :-)

Title: Re: Another traceroute issue
Post by: chechito on June 28, 2012, 09:39:39 PM

Quote from: iverona on June 28, 2012, 12:31:56 AM

Just to clarify my self, when does "core" need to be used? For ping to work on local interfaces, as is the DFL the one who has to answer?

Thanks for your reply!! Now I've to start dealing with Traffic Shaping :-)

i think core apply because when tracerouting get a ttl 0 packet on any firewall interface the firewall itself has to answer the query

good luck with traffic shapping