RE: Changed ISP now can't get to websites / traceroute
The thing is, now that I've got this new ISP (Zen - 8 static IP's), I find that there are sites that I am not able to get (browse) to, most concerning is www.freebsdforums.org. Ever since I've got this new ADSL account, not for hell nor high-water can I hit that site, using any browser, using any OS (FreeBSD, RH £inux or MS Win2K Pro / XP) at home. There could be a hundred reasons as to why you dont reach www.freebsdforums.org. _Might_ be an MTU problem somewhere upstream, if ICMP is filtered this is definitly a bigger problem. Does ping work? If they also filter UDP as you mention (fbsd traceroute not working) I'd suggest you talk to your ISP and find out exactly what they are filtering. Are those 8 static IP's public or private? If they start with 192.168.x.x, 10.x.x.x, 172.16.x.x through 172.16.31.x.x they must be NATed and it is their NAT configuration that blocks the traceroute. Contact the ISP! - Sten ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Changed ISP now can't get to websites / traceroute
Hello, On Tue, 2003-07-08 at 15:38, Sten Daniel Sørsdal wrote: The thing is, now that I've got this new ISP (Zen - 8 static IP's), I find that there are sites that I am not able to get (browse) to, most concerning is www.freebsdforums.org. Ever since I've got this new ADSL account, not for hell nor high-water can I hit that site, using any browser, using any OS (FreeBSD, RH £inux or MS Win2K Pro / XP) at home. There could be a hundred reasons as to why you dont reach www.freebsdforums.org. _Might_ be an MTU problem somewhere upstream, if ICMP is filtered this is definitly a bigger problem. Does ping work? If they also filter UDP as you mention (fbsd traceroute not working) I'd suggest you talk to your ISP and find out exactly what they are filtering. At the moment, ping works as I can ping wwwfreebsd.org: $ ping www.freebsd.org PING www.freebsd.org (216.136.204.117): 56 data bytes 64 bytes from 216.136.204.117: icmp_seq=0 ttl=45 time=183.653 ms 64 bytes from 216.136.204.117: icmp_seq=1 ttl=45 time=171.993 ms 64 bytes from 216.136.204.117: icmp_seq=2 ttl=45 time=172.027 ms ^C --- www.freebsd.org ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 171.993/175.891/183.653/5.489 ms $ However, not freebsdforums: $ ping www.freebsdforums.org PING vail.edry.com (207.174.189.161): 56 data bytes ^C --- vail.edry.com ping statistics --- 29 packets transmitted, 0 packets received, 100% packet loss $ I've already emailed my ISP about these very points and concerns - I'm not holding my breath.., Are those 8 static IP's public or private? If they start with 192.168.x.x, 10.x.x.x, 172.16.x.x through 172.16.31.x.x they must be NATed and it is their NAT configuration that blocks the traceroute. Public. Contact the ISP! On 8 separate occassions.., spoke to 8 separate tech support guys.., with 8 differnet views on what the problem is :-( Thanks for the reply. Regards, Stacey - Sten -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Changed ISP now can't get to websites / traceroute
On Mon, 2003-07-07 at 13:52, Stacey Roberts wrote: 2] Does anyone know of any reason why traceroute might fail on FreeBSD, but work on Win2K Pro? Stacey, FreeBSD uses UDP based traceroute while Windows boxes use ICMP based traceroute. Some providers (like ComCast cable) block ICMP packets (so tracert on Windows fails), but let UDP packets through (which means that BSD based traceroute succeeds). HTH, Frank signature.asc Description: This is a digitally signed message part
Re: Changed ISP now can't get to websites / traceroute
Hello Frank, On Mon, 2003-07-07 at 19:23, Frank Knobbe wrote: On Mon, 2003-07-07 at 13:52, Stacey Roberts wrote: 2] Does anyone know of any reason why traceroute might fail on FreeBSD, but work on Win2K Pro? Stacey, FreeBSD uses UDP based traceroute while Windows boxes use ICMP based traceroute. Some providers (like ComCast cable) block ICMP packets (so tracert on Windows fails), but let UDP packets through (which means that BSD based traceroute succeeds). Ahh.., that's got to be it.., I'll have a look at my ipfw ruleset and see if there's something can be tweaked.., For what its worth, here are the relevant statements that previously worked with my PIPEX adsl connection: $fwcmd add 00640 allow tcp from any to any out via $oif setup keep-state uid root $fwcmd add 00641 allow tcp from any to any in via $oif setup keep-state uid root $fwcmd add 00642 allow udp from me to any 33435-33500 out via $oif keep-state $fwcmd add 00643 allow icmp from any to me icmptype 3,11 in via $oif limit src-addr 2 # Allow out ping function $fwcmd add 00650 allow icmp from any to any out via $oif keep-state And here's all the icmp-related statements: $ grep -i icmp /etc/firewall/fwrules $fwcmd add 00643 allow icmp from any to me icmptype 3,11 in via $oif limit src-addr 2 $fwcmd add 00650 allow icmp from any to any out via $oif keep-state $fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif $ These worked fine before.., Can't imagine why they wouldn't be okay now. Thanks again for the info, Frank.., That's another one of those things..., Regards, Stacey HTH, Frank -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Changed ISP now can't get to websites / traceroute
Hello, On Mon, 2003-07-07 at 21:20, John Murphy wrote: Stacey Roberts [EMAIL PROTECTED] wrote: Well., that's the story they're feeding me now. Something to do with the fact that its a new range?? Hmm. Looking at the headers of your post you seem to have an address in the previously bogus 82/8 range. These were only made available to RIPE circa November 2002 and some operators have been slow to update their ACLs. My ISP has acquired a whole range of these and forced one on me, so I know what problems they can cause. Really pisses me off this.., I'm quite fond of the FreeBSDforums site, one of the best *bsd-related forum site I've come across.., too. I can't get to http://www.freebsdforums.org/ either! Sorry but.., AT LAST!! I'm not going crazy.., and it might be that there's some sanity to what Zen is telling me? The temporary fix for me is to use the ISP's web-cache :( No such option for me :-( Here's a traceroute from here (in case it helps): traceroute to vail.edry.com (207.174.189.161), 64 hops max, 44 byte packets 1 10.48.128.1 (10.48.128.1) 11.499 ms 14.670 ms 9.454 ms 2 gsr01-tf.blueyonder.co.uk (62.31.176.161) 28.402 ms 9.319 ms 9.155 ms 3 172.18.4.41 (172.18.4.41) 8.951 ms 18.224 ms 12.685 ms 4 kno-rab-wol-pos.telewest.net (194.117.136.49) 23.042 ms 24.131 ms 40.047 ms 5 tele2-kno-rab-pos.telewest.net (194.117.136.70) 18.752 ms 37.390 ms 28.197 ms 6 zcr1-so-5-0-0.Londonlnt.cw.net (166.63.222.37) 50.513 ms 19.658 ms 19.770 ms 7 dcr2-loopback.Chicago.cw.net (208.172.2.100) 119.590 ms 111.810 ms 116.965 ms 8 agr4-so-6-0-0.Chicago.cw.net (208.175.10.158) 128.898 ms 138.911 ms 113.668 ms 9 acr2.Denver.cw.net (208.172.162.62) 152.239 ms 162.933 ms 145.562 ms 10 internap.Denver.cw.net (208.172.161.178) 155.267 ms 155.384 ms 160.362 ms 11 border10.ge3-0-bbnet2.den.pnap.net (216.52.40.79) 155.735 ms 160.266 ms 158.363 ms 12 coop-2.border10.den.pnap.net (216.52.42.118) 133.003 ms 134.785 ms 134.697 ms 13 199.45.130.33 (199.45.130.33) 138.747 ms 147.327 ms 135.144 ms 14 * border-to-141-netrack.boulder.co.coop.net (207.174.144.178) 139.951 ms !X * 15 border-to-141-netrack.boulder.co.coop.net (207.174.144.178) 136.281 ms !X * * 16 border-to-141-netrack.boulder.co.coop.net (207.174.144.178) 159.470 ms !X * 137.951 ms !X Note here that you don't appear to actually *get* to freebsdforums' IP: From nslookup for freebsdforums.org : Non-authoritative answer: Name:freebsdforums.org Address: 207.174.189.161 I'm trying to force Zen to increase their efforts in doing whatever they're able to do for me, but its a nightmare getting through to tech support to even begin that process.., For now, I'm trying to google around for what I might need to do in order that I can get traceroute to work for my *nix boxes here.., Thanks again for that.., Regards, Stacey -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Changed ISP now can't get to websites / traceroute
14 * border-to-141-netrack.boulder.co.coop.net (207.174.144.178) 139.951 ms !X * 15 border-to-141-netrack.boulder.co.coop.net (207.174.144.178) 136.281 ms !X * * 16 border-to-141-netrack.boulder.co.coop.net (207.174.144.178) 159.470 ms !X * 137.951 ms !X Note here that you don't appear to actually *get* to freebsdforums' IP: That's correct. !X is Communications Administratively Prohibited meaing they've got an ACL in place that explicitly denies access to the next hop in the trace. I can trace to that point and then my trace dies with simple timeouts instead of prohibited. To me, that usually means that a firewall is active that is denying udp and icmp also. From nslookup for freebsdforums.org : Non-authoritative answer: Name:freebsdforums.org Address: 207.174.189.161 I'm trying to force Zen to increase their efforts in doing whatever they're able to do for me, but its a nightmare getting through to tech support to even begin that process.., I'm not sure what Zen will be able to do as long as they're advertising that they're responsible for the network block that you've been assigned to. Although, they may be willing to contact the network powers that be for the networks that you can't traverse through due to lack of action on their part. Then again, it is the remote networks perogative to allow or disallow the traffic. For now, I'm trying to google around for what I might need to do in order that I can get traceroute to work for my *nix boxes here.., Good luck. Thanks again for that.., Regards, Stacey -- Stacey Roberts B.Sc (HONS) Computer Science -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Changed ISP now can't get to websites / traceroute
Hello, Sorry about the delay.., On Mon, 2003-07-07 at 22:03, Micheal Patterson wrote: 14 * border-to-141-netrack.boulder.co.coop.net (207.174.144.178) 139.951 ms !X * 15 border-to-141-netrack.boulder.co.coop.net (207.174.144.178) 136.281 ms !X * * 16 border-to-141-netrack.boulder.co.coop.net (207.174.144.178) 159.470 ms !X * 137.951 ms !X Note here that you don't appear to actually *get* to freebsdforums' IP: That's correct. !X is Communications Administratively Prohibited meaing they've got an ACL in place that explicitly denies access to the next hop in the trace. I can trace to that point and then my trace dies with simple timeouts instead of prohibited. To me, that usually means that a firewall is active that is denying udp and icmp also. From nslookup for freebsdforums.org : Non-authoritative answer: Name:freebsdforums.org Address: 207.174.189.161 I'm trying to force Zen to increase their efforts in doing whatever they're able to do for me, but its a nightmare getting through to tech support to even begin that process.., I'm not sure what Zen will be able to do as long as they're advertising that they're responsible for the network block that you've been assigned to. Although, they may be willing to contact the network powers that be for the networks that you can't traverse through due to lack of action on their part. Then again, it is the remote networks perogative to allow or disallow the traffic. For now, I'm trying to google around for what I might need to do in order that I can get traceroute to work for my *nix boxes here.., Good luck. Thanks for the encouragement.., I've narrowed this down to the router I purchased from Zen here.., I've basically turned off ipfw and I'm still unable to even traceroute to the router itself.., I've now emailed Zen tech support to see if they're gonna provide that support they insisted they could only provide if I bought the router from them - which I did. Thanks again for taking the time. Regards, Stacey Thanks again for that.., Regards, Stacey -- Stacey Roberts B.Sc (HONS) Computer Science -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Changed ISP now can't get to websites / traceroute
Hi Edmund, On Mon, 2003-07-07 at 23:01, Edmund Craske wrote: Argh! I'm always the last to put it down to the dreaded i word, but... INCOMPETENCE! Err.., okay :-) That is all. Ed Found out that MS Windows actually uses ICMP for traceroute, whereas FreeBSD (et al) go with UDP. I've also turned off ipfw on one of the FBSD boxes and I still can't even traceroute to the router! So at the end.., I've resigned myself to emailing Zen on how they're handling UDP ports 33434-33500 within their fabric. I can't see anything else I can do here with respect to setting up the FBSD boxes., if even with ipfw set to allow by default, I still can't even traceroute the (Zen-purchased) router. Regards, Stacey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stacey Roberts Sent: 07 July 2003 22:45 To: [EMAIL PROTECTED] Cc: freebsduk; FreeBSD Questions Subject: Re: Changed ISP now can't get to websites / traceroute Hello, On Mon, 2003-07-07 at 21:20, John Murphy wrote: Stacey Roberts [EMAIL PROTECTED] wrote: Well., that's the story they're feeding me now. Something to do with the fact that its a new range?? Hmm. Looking at the headers of your post you seem to have an address in the previously bogus 82/8 range. These were only made available to RIPE circa November 2002 and some operators have been slow to update their ACLs. My ISP has acquired a whole range of these and forced one on me, so I know what problems they can cause. Really pisses me off this.., I'm quite fond of the FreeBSDforums site, one of the best *bsd-related forum site I've come across.., too. I can't get to http://www.freebsdforums.org/ either! Sorry but.., AT LAST!! I'm not going crazy.., and it might be that there's some sanity to what Zen is telling me? The temporary fix for me is to use the ISP's web-cache :( No such option for me :-( Here's a traceroute from here (in case it helps): traceroute to vail.edry.com (207.174.189.161), 64 hops max, 44 byte packets 1 10.48.128.1 (10.48.128.1) 11.499 ms 14.670 ms 9.454 ms 2 gsr01-tf.blueyonder.co.uk (62.31.176.161) 28.402 ms 9.319 ms 9.155 ms 3 172.18.4.41 (172.18.4.41) 8.951 ms 18.224 ms 12.685 ms 4 kno-rab-wol-pos.telewest.net (194.117.136.49) 23.042 ms 24.131 ms 40.047 ms 5 tele2-kno-rab-pos.telewest.net (194.117.136.70) 18.752 ms 37.390 ms 28.197 ms 6 zcr1-so-5-0-0.Londonlnt.cw.net (166.63.222.37) 50.513 ms 19.658 ms 19.770 ms 7 dcr2-loopback.Chicago.cw.net (208.172.2.100) 119.590 ms 111.810 ms 116.965 ms 8 agr4-so-6-0-0.Chicago.cw.net (208.175.10.158) 128.898 ms 138.911 ms 113.668 ms 9 acr2.Denver.cw.net (208.172.162.62) 152.239 ms 162.933 ms 145.562 ms 10 internap.Denver.cw.net (208.172.161.178) 155.267 ms 155.384 ms 160.362 ms 11 border10.ge3-0-bbnet2.den.pnap.net (216.52.40.79) 155.735 ms 160.266 ms 158.363 ms 12 coop-2.border10.den.pnap.net (216.52.42.118) 133.003 ms 134.785 ms 134.697 ms 13 199.45.130.33 (199.45.130.33) 138.747 ms 147.327 ms 135.144 ms 14 * border-to-141-netrack.boulder.co.coop.net (207.174.144.178) 139.951 ms !X * 15 border-to-141-netrack.boulder.co.coop.net (207.174.144.178) 136.281 ms !X * * 16 border-to-141-netrack.boulder.co.coop.net (207.174.144.178) 159.470 ms !X * 137.951 ms !X Note here that you don't appear to actually *get* to freebsdforums' IP: From nslookup for freebsdforums.org : Non-authoritative answer: Name:freebsdforums.org Address: 207.174.189.161 I'm trying to force Zen to increase their efforts in doing whatever they're able to do for me, but its a nightmare getting through to tech support to even begin that process.., For now, I'm trying to google around for what I might need to do in order that I can get traceroute to work for my *nix boxes here.., Thanks again for that.., Regards, Stacey -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
