Wow! I'm stupid :(
2 days lost in researching how to do it my way with m0n0wall :( Well, may be not - these were my first steps in BSD :) On 9/4/06, Scott Ullrich <[EMAIL PROTECTED]> wrote:
On 9/4/06, Georgi Petrov <[EMAIL PROTECTED]> wrote: > Hello everybody, > > I've sent this feature request to the m0n0wall mailing list, so it's a > copy-paste. Everything written can be applied to pfSense as well! > > > > Here in Bulgaria we love m0n0wall and many people use it for home > routing purposes. Our internet is delivered by LAN cables (insane, > isn't it?) and some of my smarter friends split the service to the > neighbours. This is pretty cool because you have to pay 2-3 times less > and believe me - Bulgaria isn't the cheapest place to live in ;) > > Ok, you would say - you put one m0n0wall router under your bed and pay > 2 times less for internet (as well as your neighbours). What's the > problem? Here comes the problem: Almost all ISPs in Bulgaria modify > the TTL (time to live) value of all incoming packets to 1, so when > they enter the m0n0wall router, it decrements the TTL to 0 and being > zero, the packet gets dropped (and doesn't reach any of the computers > in the local network). > > There is a very simple way to work around that. The FreeBSD kernel > should be compiled with IPSTEALTH option enabled. This is absolutely > harmless and does the following: > > When the kernel is compiled with this option, later you can set one > sysctl variable to "1" (enabled), which will turn on the IPSTEALTH > mode. In this mode the router "hides" itself, becomes intraceable with > tracert and the most important thing is that it doesn't decrement the > TTL, so the little trick played by most ISP becomes irrelevant. > > This is completely harmless to m0n0wall - it won't be enabled by > default, nothing will change for the default install, but this > functionality will be present for whoever need it! May be later a > "checkbox" could be added in the webGUI for easier accessibility. > > I already run m0n0wall's FreeBSD IPSTEALTH enabled kernel and enabling > IPSTEALTH in running m0n0wall is as easy as adding > > <shellcmd>sysctl net.inet.ip.stealth=1</shellcmd> > > just before > > </system> > > The whole procedure is explained by another smart bulgarian on this > page (bulgarian language): > http://hardwarebg.com/forum/showthread.php?t=76480&highlight=TTL > > So - this way the whole problem is solved and the day - saved ;) > > I ask for one simple thing - could you please enable IPSTEALTH in the > next m0n0wall release, please! It's a great router/firewall - make it > even better! > # sysctl -a | grep stealth net.inet.ip.stealth: 0 net.inet6.ip6.stealth: 0 It's already compiled in. Have fun! Scott
