Date: Fri, 14 Nov 2008 13:30:09 -0500 From: Stephen Clark <sclark46@earthlink.net> To: Holger Kipp <hk@alogis.com> Cc: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: FreeBSD 6.3 ipsec and traceroute doesn't work as good as Linux -why? Message-ID: <491DC3B1.10308@earthlink.net> In-Reply-To: <20081114163618.GA10409@intserv.int1.b.intern> References: <491B2703.4080707@earthlink.net> <491B31F7.30200@elischer.org> <491B4345.80106@earthlink.net> <491B47D2.6010804@elischer.org> <491C2235.4090509@earthlink.net> <1226589468.1976.12.camel@wombat.2hip.net> <491C4EC2.2000802@earthlink.net> <491D6CED.50006@earthlink.net> <491D8BBC.8090201@earthlink.net> <20081114163618.GA10409@intserv.int1.b.intern>
next in thread | previous in thread | raw e-mail | index | archive | help
Holger Kipp wrote: > On Fri, Nov 14, 2008 at 09:31:24AM -0500, Stephen Clark wrote: > > Dear Stephen, > > I don't want to be rude, but looking at your description I don't see > what's wrong with the behaviour, but it seems you don't understand what > '* * *' really means. > > How does traceroute work? Well, it sends out a packet with time to live > (TTL) set to one. on the first hop, this will be reduced by each hop that > it passes through, and if TTL reaches zero, a time exceeded message will > be send back. Then another packet is send with TTL increased by one to > identify the next hop and so on. > > If no answer is received, print out a '*' and try again (up to three tries > by default). > > This process will stop if the last hop replies. It does not stop (or only > after eg. 30 hops) if the last hop does not reply. > > Why is it that we sometimes do not get a reply? Possible answers: > - fw-rules block these traceroute packages > - routing for the answer packet is not set correctly > - with IP-tunnel, the packet is not routed through the tunnel because > it does not enter the ruleset from an external interface. This might > be true for your firewalls. > - ... > > So routing and fw-settings are very important here. You might want to > check that first, before complaining ;-) > > In your setup you have not given both external and internal FW addresses. > You might not want to have the FW be exposed on its internal interface > to the remote network, instead you might want to have a transparent tunnel. > > Regards, > Holger > > >> 10.0.129.1 FreeBSD workstation >> ^ >> | >> | ethernet >> | >> v >> internal 10.0.128.1 Freebsd FW "A" public ip address >> ^ >> | >> | ipsec >> | >> v public ip address internal 192.168.2.1 Linux FW "B" >> ^ >> | >> | ethernet >> | >> v >> 192.168.2.20 linux workstation >> >> from 192.168.2.20 Linux<->ipsec<->FreeBSD >> >> traceroute -I 10.0.129.1 >> traceroute to 10.0.129.1 (10.0.129.1), 30 hops max, 60 byte packets >> 1 192.168.2.1 (192.168.2.1) 0.434 ms 0.425 ms 0.423 ms >> 2 * * * >> 3 sclark (10.0.129.1) 42.418 ms 42.419 ms 42.727 ms >> >> traceroute -I 10.0.128.1 >> traceroute to 10.0.128.1 (10.0.128.1), 30 hops max, 60 byte packets >> 1 192.168.2.1 (192.168.2.1) 0.398 ms 0.504 ms 0.505 ms >> 2 10.0.128.1 (10.0.128.1) 36.066 ms 36.052 ms 37.800 ms >> >> traceroute 10.0.129.1 >> traceroute to 10.0.129.1 (10.0.129.1), 30 hops max, 60 byte packets >> 1 192.168.2.1 (192.168.2.1) 0.484 ms 0.464 ms 0.447 ms >> 2 * * * >> 3 sclark (10.0.129.1) 41.406 ms 41.391 ms 47.812 ms >> >> traceroute 10.0.128.1 >> traceroute to 10.0.128.1 (10.0.128.1), 30 hops max, 60 byte packets >> 1 (192.168.2.1) 0.473 ms 0.444 ms 0.427 ms >> 2 * * * >> 3 * * * >> 4 * * * >> 5 * * * >> 6 * * * >> 7 * * * >> 8 * * * >> 9 * * * >> 10 * * * >> 11 * * * >> 12 * *^C >> >> >> >> from 10.0.129.1 FreeBSD<->ipsec<->Linux >> sudo traceroute 192.168.2.20 >> traceroute to 192.168.2.20 (192.168.2.20), 64 hops max, 40 byte packets >> 1 HQFirewallRS.com (10.0.128.1) 0.761 ms 2.551 ms 4.017 ms >> 2 * * * >> 3 192.168.2.20 (192.168.2.20) 19.956 ms 27.425 ms 27.487 ms >> >> sclark:~ >> $ sudo traceroute 192.168.2.1 >> traceroute to 192.168.2.1 (192.168.2.1), 64 hops max, 40 byte packets >> 1 HQFirewallRS.com (10.0.128.1) 8.069 ms 2.952 ms 4.050 ms >> 2 home (192.168.2.1) 26.338 ms 22.132 ms 24.233 ms >> >> sclark:~ >> $ sudo traceroute -I 192.168.2.20 >> traceroute to 192.168.2.20 (192.168.2.20), 64 hops max, 60 byte packets >> 1 HQFirewallRS.com (10.0.128.1) 0.714 ms 0.806 ms 0.221 ms >> 2 home (192.168.2.1) 25.260 ms 25.312 ms 25.868 ms >> 3 192.168.2.20 (192.168.2.20) 36.477 ms 24.828 ms 24.903 ms >> >> sclark:~ >> $ sudo traceroute -I 192.168.2.1 >> traceroute to 192.168.2.1 (192.168.2.1), 64 hops max, 60 byte packets >> 1 HQFirewallRS.com (10.0.128.1) 2.219 ms 1.889 ms 4.491 ms >> 2 home (192.168.2.1) 26.172 ms 25.706 ms 24.981 ms >> >> tracerouteing to Linux never just gives a * * *, * * *, * * *, etc >> >> -- >> >> "They that give up essential liberty to obtain temporary safety, >> deserve neither liberty nor safety." (Ben Franklin) >> >> "The course of history shows that as a government grows, liberty >> decreases." (Thomas Jefferson) >> >> >> >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > Hi Holger, Thanks for the reply. During my test I had the firewalls on all system disabled, The problem is the FreeBSD FW does not respond correctly even if I use the -I option on traceroute which uses ICMP packets instead of UDP packets. And I agree it looks to be some kind of routing problem - I put a diag in the freebsd kernel ip_input.c if (ip->ip_ttl <= IPTTLDEC) { icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0, 0); return; to make sure it was calling icmp_error - it was. I have complementary setups on both the FreeBSD and Linux sides. It just seems that Linux handles things better than FreeBSD. EG when tracerouting from Linux to internal address on FreeBSD FW: >> traceroute 10.0.128.1 >> traceroute to 10.0.128.1 (10.0.128.1), 30 hops max, 60 byte packets >> 1 (192.168.2.1) 0.473 ms 0.444 ms 0.427 ms >> 2 * * * >> 3 * * * >> 4 * * * >> 5 * * * >> 6 * * * >> 7 * * * >> 8 * * * >> 9 * * * >> 10 * * * >> 11 * * * >> 12 * *^C But when tracerouting from FreeBSD to internal address on Linux FW. sudo traceroute 192.168.2.1 >> traceroute to 192.168.2.1 (192.168.2.1), 64 hops max, 40 byte packets >> 1 HQFirewallRS.com (10.0.128.1) 8.069 ms 2.952 ms 4.050 ms >> 2 home (192.168.2.1) 26.338 ms 22.132 ms 24.233 ms Much more meaningful results!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491DC3B1.10308>