OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: guest29443 on June 13, 2021, 02:22:29 pm
-
Hello,
I have two virtualized Opnsense routers, each with a shared WAN connection segment, and their own LAN segments. All packet filtering is disabled on both routers, and routing works. Blocking Bogons are disabled on all interfaces, and the addressing is all private. I can ping LAN interfaces of routers from others/ virtual clients, but I cannot get traceroute to when provided a router interface address. Traceroute works against a virtual client address.
It seems something is preventing the router from generating a TTL expired message when a packet is addressed to it. This sounds like a firewall issue, but the packet filtering is disabled.
Any suggestions?
-
If you have Rules on the LAN/Incoming interface that specify/override a gateway OPNsense will not show in a Traceroute.
-
Thanks for the reply. I think the problem was my expectations.
The packets are arriving at the router, but no TTL expired is occuring because the next hop is on the router, but since the router has no service listening on the UDP ports targeted by traceroute and no firewall is enabled to send back icmp reject, traceroute has no way to know the packets have arrived at any final destination.
-
The packets are arriving at the router, but no TTL expired is occuring because the next hop is on the router, but since the router has no service listening on the UDP ports targeted by traceroute and no firewall is enabled to send back icmp reject, traceroute has no way to know the packets have arrived at any final destination.
No.
Again, if you have a LAN firewall rule (Or whatever interface is incoming for this trace) that has a Gateway set for anything other then default OPNsense will NOt show in the traceroute because the packet bypasses the kernel and a TTL decrement just because of the way the packet with a non default gateway are handled.
This has nothing to do with anything listen on UDP or anything, like that.