Blocking ICMP is so 2003.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
--
From: "John Thomas"
Sent: Monday, December 21, 2009 11:57 PM
To: "WISPA General List"
Subject: Re: [WISPA] public subne
Thank you!
I'll pass this on to the next security paranoid IT guy that thinks the
Taliban is gonna take down his servers if he enables ICMP!
-RickG
On Tue, Dec 22, 2009 at 12:57 AM, John Thomas wrote:
> A great article talking about why NOT to block ICMP
>
> http://www.linuxplanet.com/linuxplane
A great article talking about why NOT to block ICMP
http://www.linuxplanet.com/linuxplanet/tutorials/6524/1/
From the article,
In short, blocking ICMP is detrimental to the successful operation of
networks. It will break more than just ping; in fact, many protocols
will be neutered if ICMP is
Just a short update. I switched the customer along with their public ip over
to the same wrap my office is on and it works perfectly. This also involved
switching their from the bullet2 to a ns5. Its difficult to blame the cpe so
I'm thinking something strange with the other wrap setup. -rickg
On
Yes, the WRAPs are in the 10.0.0.0/8. However, I dont have the WRAPs defined
in NAT. The "working" WRAP I'm off of at my office is using the public IP.
I'll have to FTP test the "non-working" WRAP at the customer site to see. As
I said, the net does work using the public IP from there location. I l
Mmmm, the Wrap, is its private IP in the 10.0.0.0/8 ? Can you look
up in the RB's NAT table and see what the source IP is?
FTP out to the world, is it using the NAT IP or the correct public IP
? I wonder if Proxy ARP isn't biting you.
On Sat, Dec 19, 2009 at 10:19 PM, RickG wrote:
> Ya, and fur
Ya, and further proof it should work is that it works at my office on the
same tower. I cant blame their cisco because I bypassed it with my laptop.
No proxy server. Everything goes through the RB450G. So, the only
differences are the WRAP on the tower and the CPE. I'll try the CPE next.
Will advis
Unless there is a rouge NAT statement someplace, I do not see anything
specific that would be causing this (as described)
What about a proxy server ? Are all connections heading out the NAT IP
or only HTTP?
On Sat, Dec 19, 2009 at 4:40 AM, RickG wrote:
> The thing is they had a bridge from the o
The thing is they had a bridge from the other tower and it was working. The
only thing thats changed is the tower. RIP is on RB450G and WRAP's. Dont
know about Cisco as it is the customers and I dont have control. They also
have ICMP turned off amongst other things. Should I still see it?
Yes, NAT
Mmmm. bridging CPE, make sure its not proxy arping.
Check your RIP, if its turned on, on both the wrap and Csico, should be seen.
Where is the IP that is doing NAT located, on the RB450? The only way I had that
work correctly was to drop all chain rules and tell NAT to source 10.0.0.0/8
when goin
I agree but traceroutes run perfectly. Just to be clear, here is the setup:
Inet->RB450G(Firewall)->WRAP/StarOS->CPE->Customer Device (Cisco).
The subnet is 204.62.63.76/30.
RB450G has the subnet defined in the filter rules as chain forward.
The wireless interface on the WRAP has 204.62.63.77 assig
Routing or firewall setup issues. I pass a /24 and a /8 (NAT) across my entire
network. I use one place of NAT (well a few users still have in house NAT) I
would do traceroutes from and to the end IPs and see where things start to look
wrong.
RickG wrote:
> OK, I've got a good one. I’m trying to p
12 matches
Mail list logo