Menu
What's new
By:
Filters Better Search

Problem with firewall enabled

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

K

Kurogane

Occasional Visitor
I enabled firewall and for outside i can't do traceroute if i disable firewall is back to resolve.

For what i search ICMP need to allow and respond ping but even enabled Respond ICMP Echo still i can't resolve traceroute issue.

- How i can enable traceroute with firewall enabled.
- How i can enable traceroute with/without Respond ICMP Echo enabled.
 
traceroute from LAN to the internet works fine with the router's firewall enabled. You'll have to provide more details about your setup and how you're testing this.

Code: 
C:\Users\Colin>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  192.168.1.1
  2     *        *        *     Request timed out.
  3     8 ms    10 ms     9 ms  80.3.66.145
  4     *        *        *     Request timed out.
  5    13 ms    12 ms    12 ms  62.254.59.130
  6    18 ms    18 ms    17 ms  142.250.160.116
  7    21 ms    16 ms    16 ms  216.239.41.53
  8    12 ms    13 ms    12 ms  142.251.54.33
  9    23 ms    18 ms    23 ms  8.8.8.8

Trace complete.
 
Enable the option in the router's firewall.

Untitled.png

Try it with DoS protection disabled.

What client operating system are you using? Windows, macOS, Linux?
 
As i say in my post, i have enable or disabled Respond ICMP Echo.

Also no matter what OS i using because if disable firewall works fine.
 
Kurogane said:
As i say in my post, i have enable or disabled Respond ICMP Echo.

Also no matter what OS i using because if disable firewall works fine.
Click to expand...
It does matter what OS you're using because not all versions of traceroute use ICMP. Ubuntu for example uses UDP by default.
 
I tested with:

- Ubuntu
- Debian
- Gentoo
- RHEL
- Slackware
- Alpine etc
- Windows Server
- Windows 10/11

As say it's doesn't matter which OS but also if does matter then i want all OS i can traceroute them.
 
Tracert works fine for me in 388.2_2 with Skynet enabled. Not sure what the particular issue is for your system, but would suggest you turn up the logging on the router to see dropped packets, then re-test and check the logs.

Unless the default config was changed, tracert should work.
 
I don't have any addons is just default and only firewall enabled.

Code: 
Jun 22 23:34:58 kernel: DROP IN=eth0 OUT= MAC=82:de:6d:96:a1:ff:78:fe:11:b6:aa:f7:08:00 SRC=remote DST=router LEN=60 TOS=0x00 PREC=0x20 TTL=1 ID=54025 PROTO=UDP SPT=45411 DPT=33468 LEN=40 MARK=0x8000000
 
Kurogane said:
I don't have any addons is just default and only firewall enabled.

Code: 
Jun 22 23:34:58 kernel: DROP IN=eth0 OUT= MAC=82:de:6d:96:a1:ff:78:fe:11:b6:aa:f7:08:00 SRC=remote DST=router LEN=60 TOS=0x00 PREC=0x20 TTL=1 ID=54025 PROTO=UDP SPT=45411 DPT=33468 LEN=40 MARK=0x8000000
Click to expand...
What is this log entry showing? Is it the result of you doing a traceroute to your router? If so then you were using UDP as I mentioned above. Tell your client to use ICMP instead and see if that makes a difference.

Please post all of the output seen on the client when you do the traceroute.
 
Why complicate things what astral is doing a simple traceroute? Client use ICMP or UDP? how client knows that even myself i don't know.

The previous log is from router.

Here an example for traceroute from client.

Linux:

Bash: 
traceroute IP.ROUTER
traceroute to IP.ROUTER (IP.ROUTER), 30 hops max, 60 byte packets
 1  140.91.197.2 (140.91.197.2)  1.259 ms 140.91.196.154 (140.91.196.154)  1.094 ms 140.91.196.118 (140.91.196.118)  0.940 ms
 2  ae-2.r25.asbnva02.us.bb.gin.ntt.net (129.250.2.124)  2.970 ms  2.038 ms  2.880 ms
 3  ae-7.a00.rstnva04.us.bb.gin.ntt.net (129.250.203.141)  5.009 ms  4.973 ms  106.231 ms
 4  ae-14.r25.asbnva02.us.bb.gin.ntt.net (129.250.2.56)  1.402 ms ae-14.r24.asbnva02.us.bb.gin.ntt.net (129.250.2.245)  1.198 ms  1.157 ms
 5  ae-1.a04.asbnva02.us.bb.gin.ntt.net (129.250.2.125)  1.027 ms  4.968 ms  4.936 ms
 6  ae-9.a04.asbnva02.us.bb.gin.ntt.net (128.241.8.10)  3.809 ms  3.777 ms  3.643 ms
 7  94.142.117.55 (94.142.117.55)  25.234 ms 94.142.98.197 (94.142.98.197)  45.939 ms 94.142.97.171 (94.142.97.171)  29.246 ms
 8  94.142.98.12 (94.142.98.12)  49.150 ms  50.465 ms  55.329 ms
 9  ash-bb2-link.ip.twelve99.net (62.115.121.217)  51.405 ms  51.417 ms  51.417 ms
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Windows

Bash: 
tracert IP.ROUTER

Tracing route to IP.ROUTER [IP.ROUTER]
over a maximum of 30 hops:

  1     5 ms     5 ms     5 ms  et-0-0-16.edge4.Munich1.Level3.net [212.162.5.145]
  2     5 ms     7 ms    14 ms  ae5-159.edge3.Munich1.Level3.net [62.140.25.101]
  3    12 ms    11 ms    25 ms  ae1.3122.edge9.Frankfurt1.level3.net [4.69.167.114]
  4    35 ms    12 ms    18 ms  94.142.107.220
  5    22 ms    15 ms    15 ms  176.52.248.125
  6    98 ms    98 ms    97 ms  213.140.36.230
  7   243 ms   134 ms   154 ms  84.16.12.145
  8   142 ms   142 ms   142 ms  94.142.98.12
  9   149 ms   146 ms   153 ms  ash-bb2-link.ip.twelve99.net [62.115.121.217]
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

Next hop (hop10) is route IP.
 
Thanks @Kurogane.

It might be a bug in the firmware. What router and firmware version are you using?

Can you SSH into the router and post the output of these commands please.
Code: 
iptables-save -t nat
iptables -vnL INPUT
Hide your WAN IP address in the output.
 
I'm using RT-AX88U with Firmware: 388.2_2

With firewall enabled:

Code: 
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             base-address.mcast.net/4
GAME_VSERVER  all  --  anywhere             PUBLIC-ROUTER-IP
VSERVER    all  --  anywhere             PUBLIC-ROUTER-IP

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
PUPNP      all  --  anywhere             anywhere
MASQUERADE !ipv6 -- !PUBLIC-ROUTER-IP  anywhere
MASQUERADE !ipv6 --  172.16.1.0/24        172.16.1.0/24

Chain DNSFILTER (0 references)
target     prot opt source               destination

Chain GAME_VSERVER (1 references)
target     prot opt source               destination

Chain LOCALSRV (0 references)
target     prot opt source               destination

Chain PCREDIRECT (0 references)
target     prot opt source               destination

Chain PUPNP (1 references)
target     prot opt source               destination

Chain VSERVER (1 references)
target     prot opt source               destination
VUPNP      all  --  anywhere             anywhere

Chain VUPNP (1 references)
target     prot opt source               destination

Code: 
iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     2    --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 INPUT_PING  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 5318 1448K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    1    44 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 4838  974K PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0
  591 46163 PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5152
  591 46163 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
 1604  257K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     41   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  br1    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  br1    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  br1    *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     udp  --  br1    *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 DROP       all  --  br1    *       0.0.0.0/0            0.0.0.0/0
 3234  717K WGSI       all  --  *      *       0.0.0.0/0            0.0.0.0/0
 3234  717K WGCI       all  --  *      *       0.0.0.0/0            0.0.0.0/0
 3234  717K OVPNSI     all  --  *      *       0.0.0.0/0            0.0.0.0/0
 3234  717K OVPNCI     all  --  *      *       0.0.0.0/0            0.0.0.0/0
 3234  717K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


With firewall disabled:

Code: 
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
GAME_VSERVER  all  --  anywhere             PUBLIC-ROUTER-IP
VSERVER    all  --  anywhere             PUBLIC-ROUTER-IP

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
PUPNP      all  --  anywhere             anywhere
MASQUERADE !ipv6 -- !PUBLIC-ROUTER-IP  anywhere
MASQUERADE !ipv6 --  172.16.1.0/24        172.16.1.0/24

Chain DNSFILTER (0 references)
target     prot opt source               destination

Chain GAME_VSERVER (1 references)
target     prot opt source               destination

Chain LOCALSRV (0 references)
target     prot opt source               destination

Chain PCREDIRECT (0 references)
target     prot opt source               destination

Chain PUPNP (1 references)
target     prot opt source               destination

Chain VSERVER (1 references)
target     prot opt source               destination
VUPNP      all  --  anywhere             anywhere

Chain VUPNP (1 references)
target     prot opt source               destination

Code: 
iptables -vnL INPUT
Chain INPUT (policy ACCEPT 724 packets, 134K bytes)
 pkts bytes target     prot opt in     out     source               destination
 
In your output with the firewall enabled it looks like the option "Respond ICMP Echo (ping) Request from WAN" is still set to "No". If that's not the case then it looks like a GUI bug of some sort.

Are you actually testing this from the internet or are you trying to do from your router via a VPN?

Try turning off WireGuard and seeing if that makes a difference.
 
Yes, previous iptables is with ICMP Echo disabled.

Here with enabled.

Code: 
iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  569  133K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
  867  137K PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0
  385 30806 PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5152
  385 30806 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
  218 31710 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     41   --  *      *       0.0.0.0/0            0.0.0.0/0
    6   437 ACCEPT     udp  --  br1    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  br1    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  br1    *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     udp  --  br1    *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    1   113 DROP       all  --  br1    *       0.0.0.0/0            0.0.0.0/0
  642  104K WGSI       all  --  *      *       0.0.0.0/0            0.0.0.0/0
  642  104K WGCI       all  --  *      *       0.0.0.0/0            0.0.0.0/0
  642  104K OVPNSI     all  --  *      *       0.0.0.0/0            0.0.0.0/0
  642  104K OVPNCI     all  --  *      *       0.0.0.0/0            0.0.0.0/0
  642  104K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

I don't use any VPN, i testing this from internet.
 
Yes the ping works (always work) only traceroute no.

Code: 
traceroute to IP.ROUTER (IP.ROUTER), 30 hops max, 60 byte packets
 1  172.17.0.1 (172.17.0.1)  0.081 ms
 2  *
 3  ae-9.a04.asbnva02.us.bb.gin.ntt.net (128.241.8.10)  3.809 ms  3.777 ms  3.643 ms
 4  94.142.124.110 (94.142.124.110)  45.405 ms
 5  94.142.98.12 (94.142.98.12)  66.185 ms
 6  ash-bb2-link.ip.twelve99.net (62.115.121.217)  51.405 ms  51.417 ms  51.417 ms
 7  *
 8  *
 9  *
10  *
11  *
12  *
13  *
14  *
15  *
16  *
17  *
18  *
19  *
20  *
21  *
22  *
23  *
24  *
25  *
26  *
27  *
28  *
29  *
30  *
 
Same error in my case.

Code: 
admin@RT-AC86U:/jffs/root# iptables -L INPUT -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      284 70830 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
2        6   456 DROP       all  --  any    any     anywhere             anywhere             state INVALID
3      254 39343 PTCSRVWAN  all  --  !br0   any     anywhere             anywhere
4       54  5419 PTCSRVLAN  all  --  br0    any     anywhere             anywhere
5        0     0 DROP       tcp  --  !lo    any     anywhere             anywhere             tcp dpt:5152
6       54  5419 ACCEPT     all  --  br0    any     anywhere             anywhere             state NEW
7       99 18207 ACCEPT     all  --  lo     any     anywhere             anywhere             state NEW
8        0     0 ACCEPT     igmp --  any    any     anywhere             base-address.mcast.net/4
9        0     0 ACCEPT     udp  --  any    any     anywhere             base-address.mcast.net/4  udp dpt:!upnp
10       0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:2222
11      15   560 ACCEPT     icmp --  any    any     anywhere             anywhere
12       0     0 ACCEPT     udp  --  br1    any     anywhere             anywhere             udp dpt:domain
13       0     0 ACCEPT     tcp  --  br1    any     anywhere             anywhere             tcp dpt:domain
14       0     0 ACCEPT     udp  --  br1    any     anywhere             anywhere             udp dpt:bootps
15       0     0 ACCEPT     udp  --  br1    any     anywhere             anywhere             udp dpt:bootpc
16      40  8320 DROP       all  --  br1    any     anywhere             anywhere
17     100 12256 OVPNSI     all  --  any    any     anywhere             anywhere
18     100 12256 OVPNCI     all  --  any    any     anywhere             anywhere
19     100 12256 DROP       all  --  any    any     anywhere             anywhere

Just delete rule #2 and you can traceroute again. Strange error in 386.11.
Code: 
iptables -D INPUT 2
Or you can duplicate rule 11 (icmp) making it first rule:
Code: 
 iptables -I INPUT -p icmp -j ACCEPT
 
You must log in or register to reply here.

Similar threads

S
Cannot ping/skynet will not work while Firewall is Enabled.
Replies
2
Views
442
spinfuzer
S
B
Firewall lan - vpn?
Replies
0
Views
285
blast
B
D
Asus RT-AX3000 V2 Questions
Replies
7
Views
2K
Tech9
Tech9
D
Modem loses connection when gaming with rt-ax3000 v2
Replies
17
Views
1K
Deleted member 89206
D
vanhelsing1616
6in4 issues help appreciated
2 3
Replies
53
Views
3K
vanhelsing1616
vanhelsing1616
Similar threads
Thread starter Title Forum Replies Date
G Problem with Firewall rules for internal connections! Asuswrt-Merlin 18
E OpenVPN TAP internet access problem Asuswrt-Merlin 0
Philip Bondi Intermittent problem with DHCP offering 10.x addresses when configured for 192.x Asuswrt-Merlin 3
J keysize 256 problem Asuswrt-Merlin 4
C Need some help with a DHCP problem Asuswrt-Merlin 9
muffintastic Cannot Stream from Router - Samba Problem Asuswrt-Merlin 2
X RT-AX58U sudden DNS problem - URGENT Asuswrt-Merlin 14
L&LD Problem with VPN Director Asuswrt-Merlin 6
P Problem flashing Merlin firmware on Asus rt ax56u Asuswrt-Merlin 2
C Problem with updating firmware on RT-AX88U Pro Asuswrt-Merlin 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,022 (members: 39, guests: 983)
Top