Obfuscating router from traceroute/MTR

[R G G]

Very unorthodox title, I know.

The long and short of it is that my ISP has a jitter and packet loss issue at peak evening hours which is being graphed by connmon and spdMerlin through the router. They absolutely hate that I have evidence against them and would rather force me to remove the router (blaming it as the bottleneck). An agent of theirs has been tracking the issue through AnyDesk for about a week now and every time they get on I'm forced to remove the router, wasting 10-15 minutes.

Is there any way to keep the router functioning on default router mode –– I'm aware AP mode gives me what I'm looking for –– and not have it show up on a traceroute? Perhaps something in DHCP? Idk.

 

[Tech Junky]

If you drop ICMP replies it won't show up.

 

[R G G]

If you drop ICMP replies it won't show up.

Such a simple solution

Anyway, I don't think this can be achieved through the interface, can it? Firewall tab only gives you the option to drop WAN ICMP.

I'd have to go into the iptables huh?

 

[R G G]

Update:


Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP icmp -- 0.0.0.0/0 0.0.0.0/0
// ...


This rule seems to have blocked local ICMP ping:

PING 192.168.50.1 (192.168.50.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1


However, traceroute and MTR still pick it up as the first hop and it even seems to be reachable.


UPDATE:

Same rule as above, but on the OUTPUT chain seems to do the trick. It won't completely get rid of the hop. Traceroute and MTR still do detect that there's a there there.

If anyone knows how to completely eliminate the hop, please do chime in.

 

[ColinTaylor]

What about this:

iptables -I INPUT -p icmp -j DROP
iptables -I OUTPUT -p icmp -j DROP
iptables -I FORWARD -p icmp -j DROP

 

[Tech Junky]

iptables

Yup. Then you can block the trace type only on inbound if the ISP is coming to you.

 

[Tech Junky]

What about this:

iptables -I INPUT -p icmp -j DROP
iptables -I OUTPUT -p icmp -j DROP
iptables -I FORWARD -p icmp -j DROP

Too much. Google trace route ICMP type. Only need inbound for WAN incoming.

 

[R G G]

What about this:

iptables -I INPUT -p icmp -j DROP
iptables -I OUTPUT -p icmp -j DROP
iptables -I FORWARD -p icmp -j DROP

Tried lmao. Drops absolutely everything. Even 8.8.8.8 doesn't respond.

I think dropping ICMP on the forward chain is responsible for this behavior.

 

[Tech Junky]

forward chain is responsible for this behavio

Output is blocking but forward isn't needed.

 

[ColinTaylor]

Too much. Google trace route ICMP type. Only need inbound for WAN incoming.

I don't think that's the problem he's describing.

 

[R G G]

Output is blocking but forward isn't needed.

Played around a bit:

iptables -I FORWARD -p icmp -j DROP:

- Router -> 8.8.8.8 works, connmon works
- MTR and traceroute result in a solitary hop (ONLY the router)

iptables -I OUTPUT -p icmp -j DROP:

- Router -> 8.8.8.8 fails, connmon fails
- MTR and traceroute result in perfectly normal traceroute with * * * in place of the router
- This seems like the most optimal solution, for now

iptables -I INPUT -p icmp -j DROP:

- Router -> 8.8.8.8 fails, connmon fails
- MTR and traceroute result in perfectly normal traceroute SHOWING the router, even with RTT values.
- However... ping directly to the router from PC fails