Allowing Traceroute to and through cOS Core

Frequently Asked Questions
Post Reply
Peter
Posts: 629
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Allowing Traceroute to and through cOS Core

Post by Peter » 01 Jun 2011, 10:25

This FAQ applies to:
  • Clavister CorePlus™ version 8.x-10.x, 11.x, 12.x
Question:

I want to let Traceroute through my Clavister Security Gateway, but it seems to be blocked per default. How can i let it through?
and/or
I got the traceroute traffic through, and adjusted the TTL, but I still don't get a reply from the Clavister (first few hops). How fix that?

Answer:

In order to let traceroute through you need to change/enable two settings:

1. Under Advanced settings (or System->Advanced settings) go to IP Settings and change the "TTL Min" value from 3 to 1.
2. On the service of your outgoing rule that allows ICMP, enable the "Pass returned ICMP error messages from destination" option.
2.1. Note: This is in newer versions (11.x) renamed to "Forward ICMP errors".

Example of solution:

Add two IP Rules, the first one to permit the Clavister itself to respond to the traceroute packets and the second to NAT out the traffic and permit the ICMP messages back to the machine performing the traceroute. These rules assumes that the IP of the Clavister is core routed (assigned to an interface or if it is an additional IP address on the interface that it is added by using a Core Route with Proxy ARP on the interface where it is added - see viewtopic.php?f=18&t=5171 or the manual for a description of this).
The ping-outbound service already has the "Pass returned ICMP error messages from destination" feature enabled and the setting (1) in the Answer section above has been implemented.
1. Allow_Core_Ping LAN Lan_Net Core All-Nets ping-outbound
2. NAT_Traceroute LAN Lan_Net Wan All-Nets ping-outbound

Keywords: Trace Route, tracert

Post Reply