Traceroute timing out at foremost router

M

metal

n00b
Joined
Dec 15, 2003
Messages
35
I can't seem to figure out why my subnet can't traceroute at all and the one immediately above me can. Here is my the setup relevant to the problem:
________________________________________________________________
__________________[Internet]________________________________________
_____________________|___________________________________________
________________[Cable Modem]_____________________________________
_____________________|___________________________________________
___________[Linksys Router (192.168.1.1)]_______________________________
______________/_______________\__________________________________
[box1 (192.168.1.2)]______________[Smoothwall Firewall (192.168.1.7, 192.168.0.1)]
_____________________________________________|__________________
_______________________________________[box2 (192.168.0.10)]_________
________________________________________________________________
The Linksys router provides DHCP to box1 and Smoothwall Firewall's public NIC and sets 192.168.1.1 as the default gateway for them. The Smoothwall Firewall provides DHCP to box2, and sets 192.168.0.1 as the default gateway for box2.

My problem is, when I traceroute from box1 to any known internet ip address the first bounce (which should be the Linksys Router) times out and all the remaining bounces are fine. When I traceroute from box2 to any known internet ip address the first bounce (the Smoothwall Firewall) succeeds and every bounce after that times out. Why is it failing from both subnets, but especially why is box2 unable to traceroute anything on the internet?? Also, box2 can traceroute box2 in 2 hops (Smoothwall, then box2).
 
It probably has to do with your firewall, my firewall useing iptables with shorewall, I had to add a rule like this

Code: 
#ACTION	 SOURCE  DEST   PROTO	DEST	     SOURCE
ACCEPT	   all           all	   udp	   33434:33523	32769:65535

After that tracerouteing worked.
 
Thanks for the quick reply.
I know little about iptables, but i'm reading a howto now because I should definately learn it. It looks like that entry would allow traffic from UDP ports 33434 - 33523. My first action in troubleshooting was to set up port forwarding on the range 33434 - 33534 UDP to box2, is there a difference between that and what you are suggesting? I'll try your suggestion as soon as I get far enough in this tutorial to know where it goes lol.
Thanks again
 
metal said:
Why is it failing from both subnets, but especially why is box2 unable to traceroute anything on the internet??
Click to expand...

Re: The trace from box1

Does it look something like this?
1 <1 ms <1 ms <1 ms 192.168.1.1
2 * * * Request timed out.
3 36 ms 28 ms 9 ms 68.87.224.221
4 more stuff here
5 blah blah blah
6 etc. etc. etc...

That first time out is the cable modem (on Comcast at least) - used to show as a 10.a.b.c address. Which if I remember correctly was the Cable_modem and CMTS sides IPs.
 
the traceroute from box1 returns a timeout at the FIRST hop, it doesn't even list the router (192.168.1.1), but it sucessfully lists every hop after that to the destination. box2's traceroute never gets past the router, it lists the Smoothwall (192.168.0.1) as the first hop and then times out for the rest.

<edit>Now that I think of it, this problem has existed with 2 cable modems. About a month ago I decided my modem must have been hit by a surge because it was randomly losing connection, and buying a new modem fixed it. But i have always had the same traceroute problems.</edit>
 
metal said:
the traceroute from box1 returns a timeout at the FIRST hop, it doesn't even list the router (192.168.1.1), but it sucessfully lists every hop after that to the destination. box2's traceroute never gets past the router, it lists the Smoothwall (192.168.0.1) as the first hop and then times out for the rest.

<edit>Now that I think of it, this problem has existed with 2 cable modems. About a month ago I decided my modem must have been hit by a surge because it was randomly losing connection, and buying a new modem fixed it. But i have always had the same traceroute problems.</edit>
Click to expand...

I also have a linux box as my router hence why the 192.168.1.1 shows up in my traceroute above. I seem to have a vague memory of the Linksys router I owned not showing in traceroutes. Either way, the box1 route seems to be fine, bypassing the linksys, not getting a response from the cable modem and then showing you the rest of the hops.

As for the Smoothwall box, check the firewall (your IPTables ruleset) I'd be willing to bet you are blocking ICMP messages somewhere.
 
You must log in or register to reply here.
Back
Top