10 (DMZ, 10.0.0.0/24)
11 (192.168.211.0/24)
13 (192.168.11.0/24)
I cannot traceroute from a host in VLAN11 to VLAN13.
$ traceroute 192.168.11.13
traceroute to 192.168.11.13 (192.168.11.13), 30 hops max, 60 byte packets
1 192.168.211.1 (192.168.211.1) 1.904 ms 1.866 ms 2.132 ms
2 * * *
3 * * *
4 *^C
But tcptraceroute works:
$ sudo tcptraceroute 192.168.11.13 445
Selected device eth1, address 192.168.211.230, port 44118 for outgoing packets
Tracing the path to 192.168.11.13 on TCP port 445 (microsoft-ds), 30 hops max
1 192.168.211.1 1.311 ms 1.093 ms 1.056 ms
2 192.168.11.13 [open] 5.667 ms 1.579 ms 2.027 ms
Nothing appears in the packetfilter.log, but here's a tcpdump of the traceroute:
# tcpdump -n -i eth1 \(icmp\) or \(vlan and icmp\)
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
15:43:55.906940 IP 192.168.211.1 > 192.168.211.230: ICMP time exceeded in-transit, length 68
15:43:55.907067 IP 192.168.211.1 > 192.168.211.230: ICMP time exceeded in-transit, length 68
15:43:55.907172 IP 192.168.211.1 > 192.168.211.230: ICMP time exceeded in-transit, length 68
3 packets captured
16 packets received by filter
0 packets dropped by kernel
At our co-lo, I have 7.306 with one LAN, 10.100.0.0/24.
I have an IPSEC VPN setup between the two, which includes all LANs and SSL VPN Pools on each end.
I have SSL client VPNs setup on both firewalls, with one using 10.242.6.0 and the other using 10.242.2.0 for the pools.
When I do traceroutes from the co-lo to one of my VLANs, the traceroute always appears to go through the DMZ interface of my home ASL.
e.g. from co-lo SSL VPN Pool, to home vlan11-host 230, I see:
# traceroute 192.168.211.230
traceroute to 192.168.211.230 (192.168.211.230), 30 hops max, 40 byte packets
1 fw.example.net (10.100.0.1) 30.314 ms 39.498 ms 32.536 ms
2 10.0.0.1 (10.0.0.1) 45.900 ms 50.212 ms 47.347 ms
3 192.168.211.230 (192.168.211.230) 32.437 ms 39.069 ms 40.065 ms
If I traceroute to an Astaro interface, it behaves as expected.
Furthermore, I can't traceroute from the co-lo SSL VPN Pool to hosts in VLAN 13 (it fails after the home DMZ interface), but tcptraceroute works fine (still appears to go through home DMZ, but reaches destination host).
Nothing appears on the firewall with
tcpdump -n -i eth1 \(icmp\) or \(vlan and icmp\)
One more thing:
When I do traceroutes from home vlan11 to the co-lo lan, the co-lo firewall does not respond in the traceroute, even though I DO have packetfilter rules to allow traffic from vlan11 to the co-lo lan. (the target of the traceroute does respond).
I have all the ICMP settings enabled on both ends.
Also the co-lo lan can ping my vlans, but cannot traceroute past my firewall (the firewall DOES respond to pings, as opposed to above).
Nothing appears with tcpdump -n -i eth1 \(icmp\) or \(vlan and icmp\) on the home firewall.
Routing table on home ASL:
10.100.0.0/24 dev ipsec0 table 42 proto 42 scope link src 10.0.0.1
10.242.6.0/24 dev ipsec0 table 42 proto 42 scope link src 10.0.0.1
default via 1.2.3.1 dev eth0 table default proto kernel
10.242.2.2 dev tun0 proto kernel scope link src 10.242.2.1
10.0.0.0/24 dev eth1.10 proto kernel scope link src 10.0.0.1
10.242.2.0/24 via 10.242.2.2 dev tun0
192.168.11.0/24 dev eth1.13 proto kernel scope link src 192.168.11.1
192.168.211.0/24 dev eth1.11 proto kernel scope link src 192.168.211.1
1.2.3.0/21 dev eth0 proto kernel scope link src 1.2.3.57
127.0.0.0/8 dev lo scope link
broadcast 10.0.0.0 dev eth1.10 table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev eth1.10 table local proto kernel scope host src 10.0.0.1
broadcast 10.0.0.255 dev eth1.10 table local proto kernel scope link src 10.0.0.1
local 10.242.2.1 dev tun0 table local proto kernel scope host src 10.242.2.1
broadcast 1.2.3.0 dev eth0 table local proto kernel scope link src 1.2.3.57
local 1.2.3.57 dev eth0 table local proto kernel scope host src 1.2.3.57
local 1.2.3.57 dev ipsec0 table local proto kernel scope host src 1.2.3.57
broadcast 76.83.31.255 dev eth0 table local proto kernel scope link src 1.2.3.57
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.11.0 dev eth1.13 table local proto kernel scope link src 192.168.11.1
local 192.168.11.1 dev eth1.13 table local proto kernel scope host src 192.168.11.1
broadcast 192.168.11.255 dev eth1.13 table local proto kernel scope link src 192.168.11.1
broadcast 192.168.211.0 dev eth1.11 table local proto kernel scope link src 192.168.211.1
local 192.168.211.1 dev eth1.11 table local proto kernel scope host src 192.168.211.1
broadcast 192.168.211.255 dev eth1.11 table local proto kernel scope link src 192.168.211.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
All NICs in ASL at home are Intel Pro 100.
VLAN switch is a Netgear gs108t.
I guess my conclusion would be that the Astaro ICMP settings aren't getting applied correctly to VLANs and/or VPNs.
Thanks,
Barry