[TriLUG] traceroute works, ping and tcp services don't get through

Seva Adari oddissyus at gmail.com
Fri May 18 11:34:29 EDT 2012


Just a wild guess: May be your router2 is configured to block icmp outound!
Once inbound is allowed, it is unusual to block the response packets, but
I believe it is doable.

On Fri, May 18, 2012 at 8:59 AM, Joseph Mack NA3T <jmack at wm7d.net> wrote:
>
>          client (outside/internet)
>
>                  \| def gw
>                  -
> router1   <---->  router2
>                   _
>         _         /|
>  def gw |\       |/_ route
>
>
>          server (inside)
>
> I've just fixed this problem but don't have an explanation for what I saw
> and was wondering if anyone understands it.
>
> I have failover routers. Because I'm changing the internal networks, one
> router at a time, the IPs on the inside or the routers are different
> (router1=172.16.2.0/24, router2=192.168.2.0/24). Normally router1 is the
> default route for packets from the outside and inside, but to test that I
> could still use both routers, I made router2 the default gw for packets from
> the outside, while keeping router1 the default gw for packets from the
> inside.
>
> Although I didn't realise it, I now didn't have a route from router1 to the
> client. What was also confusing was that I'd just home brewed my own
> firewall rules and had assumed that they were causing the problem (they
> weren't, but I spent 2hrs debugging them before finding the solution).
>
> What I saw waa that I could not longer ping (icmp type 8) the server from
> the client, or make any tcp connections. However traceroute (icmp type 11)
> still worked, showing the expected path client->router2->server. Looking at
> the iptables logs, I found that tcp packets were being returned from the
> server via router1 (the server's default gw) and not by the reverse path via
> router2. Adding a route from router1 to the client allowed ping and tcp
> packets to get through.
>
> So tcp and ping type 8 go around the loop clockwise, while ping type 11 goes
> out and back client<->router2<->server
>
> Anyone know why the different packets take a different route?
>
> Thanks Joe
>
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
> --
> This message was sent to: oddissyus at gmail.com <oddissyus at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/oddissyus%40gmail.com
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions



More information about the TriLUG mailing list