Blocking ICMP is so 2003.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com -------------------------------------------------- From: "John Thomas" <jtho...@quarnet.com> Sent: Monday, December 21, 2009 11:57 PM To: "WISPA General List" <wireless@wispa.org> Subject: Re: [WISPA] public subnet > A great article talking about why NOT to block ICMP > > http://www.linuxplanet.com/linuxplanet/tutorials/6524/1/ > > From the article, > > In short, blocking ICMP is detrimental to the successful operation of > networks. It will break more than just ping; in fact, many protocols > will be neutered if ICMP isn't working. > > John > > > > > RickG wrote: >> Ya, and further proof it should work is that it works at my office on the >> same tower. I cant blame their cisco because I bypassed it with my >> laptop. >> No proxy server. Everything goes through the RB450G. So, the only >> differences are the WRAP on the tower and the CPE. I'll try the CPE next. >> Will advise. >> >> BTW: I agree with you on ICMP. I usually make them allow that, if they >> want >> my help :) >> >> Thanks! -RickG >> >> On Sun, Dec 20, 2009 at 12:06 AM, Jeromie Reeves >> <jree...@18-30chat.net>wrote: >> >> >>> Unless there is a rouge NAT statement someplace, I do not see anything >>> specific that would be causing this (as described) >>> What about a proxy server ? Are all connections heading out the NAT IP >>> or only HTTP? >>> >>> >>> On Sat, Dec 19, 2009 at 4:40 AM, RickG <rgunder...@gmail.com> wrote: >>> >>>> The thing is they had a bridge from the other tower and it was working. >>>> >>> The >>> >>>> only thing thats changed is the tower. RIP is on RB450G and WRAP's. >>>> Dont >>>> know about Cisco as it is the customers and I dont have control. They >>>> >>> also >>> >>>> have ICMP turned off amongst other things. Should I still see it? >>>> >>> I would request that ICMP be allowed to your internal network at >>> least. Personally, I control everything down to the ethernet >>> port. Past that, its their ball (but mostly I handle the LAN too) >>> >>> >>>> Yes, NAT is being done from RB450G using 10.0.0.0/8. >>>> Thanks! -RickG >>>> >>>> On Fri, Dec 18, 2009 at 9:08 PM, jree...@18-30chat.net < >>>> jree...@18-30chat.net> wrote: >>>> >>>> >>>>> Mmmm. bridging CPE, make sure its not proxy arping. >>>>> >>>>> Check your RIP, if its turned on, on both the wrap and Csico, should >>>>> be >>>>> seen. >>>>> >>>>> Where is the IP that is doing NAT located, on the RB450? The only way >>>>> I >>>>> >>> had >>> >>>>> that >>>>> work correctly was to drop all chain rules and tell NAT to source >>>>> 10.0.0.0/8 >>>>> when going out dst interface. I have 2 routers at the core one for BGP >>>>> & >>>>> etc >>>>> upstream, the other for NAT and in building hand-off (couple lans's >>>>> and >>>>> wireless, then the BH's to the rest of the network + the hotspot). >>>>> >>>>> >>>>> RickG wrote: >>>>> >>>>>> I agree but traceroutes run perfectly. Just to be clear, here is the >>>>>> >>>>> setup: >>>>> >>>>>> Inet->RB450G(Firewall)->WRAP/StarOS->CPE->Customer Device (Cisco). >>>>>> The subnet is 204.62.63.76/30. >>>>>> RB450G has the subnet defined in the filter rules as chain forward. >>>>>> The wireless interface on the WRAP has 204.62.63.77 assigned. >>>>>> The CPE is in bridge mode so its on a private IP. >>>>>> The Cisco has 204.62.63.78 assigned to ether1. >>>>>> All with a 255.255.255.252 subnet mask. >>>>>> I tested with my laptop in place of the router. >>>>>> One strange item I noticed. I'm running RIP and it does not see the >>>>>> >>> WRAP >>> >>>>>> with 204.62.63.77 assigned. >>>>>> Any other ideas? >>>>>> -RickG >>>>>> >>>>>> On Fri, Dec 18, 2009 at 5:13 PM, jree...@18-30chat.net < >>>>>> jree...@18-30chat.net> wrote: >>>>>> >>>>>> >>>>>>> Routing or firewall setup issues. I pass a /24 and a /8 (NAT) across >>>>>>> >>> my >>> >>>>>>> entire >>>>>>> network. I use one place of NAT (well a few users still have in >>>>>>> house >>>>>>> >>>>> NAT) >>>>> >>>>>>> I >>>>>>> would do traceroutes from and to the end IPs and see where things >>>>>>> >>> start >>> >>>>> to >>>>> >>>>>>> look >>>>>>> wrong. >>>>>>> >>>>>>> RickG wrote: >>>>>>> >>>>>>>> OK, I've got a good one. I’m trying to pass public subnets to a >>>>>>>> >>> couple >>> >>>>> of >>>>> >>>>>>>> customers. They worked before I switched them to a new, closer >>>>>>>> >>> tower. >>> >>>>>>>> Bascially, it will not show the public IP when checking at >>>>>>>> whatismyip.combut rather my firewall ip. Obviuosly, I can get on >>>>>>>> the >>>>>>>> net with the public >>>>>>>> ip's. What's weird is that it works at my office which is on the >>>>>>>> >>> same >>> >>>>>>> tower >>>>>>> >>>>>>>> although it is a different access point. However, the AP's are the >>>>>>>> >>> both >>> >>>>>>>> WRAP/StarOS units. My AP is running 5GHz and the customers is >>>>>>>> >>> running >>> >>>>>>>> 2.4GHz. One other difference is that the customer's CPE is aNS2L >>>>>>>> and >>>>>>>> >>>>> mine >>>>> >>>>>>> is >>>>>>> >>>>>>>> a NS5. I did try a Tranzeo CPQ as well. The only other difference >>>>>>>> is >>>>>>>> >>>>> that >>>>> >>>>>>>> the customer is now only one hop from the firewall versus two hops >>>>>>>> >>>>>>> before. >>>>>>> >>>>>>>> Any thoughts? >>>>>>>> >>>>>>>> -RickG >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>> -------------------------------------------------------------------------------- >>> >>>>>>>> WISPA Wants You! Join today! >>>>>>>> http://signup.wispa.org/ >>>>>>>> >>>>>>>> >>> -------------------------------------------------------------------------------- >>> >>>>>>>> WISPA Wireless List: wireless@wispa.org >>>>>>>> >>>>>>>> Subscribe/Unsubscribe: >>>>>>>> http://lists.wispa.org/mailman/listinfo/wireless >>>>>>>> >>>>>>>> Archives: http://lists.wispa.org/pipermail/wireless/ >>>>>>>> >>>>>>> >>>>>>> >>> -------------------------------------------------------------------------------- >>> >>>>>>> WISPA Wants You! Join today! >>>>>>> http://signup.wispa.org/ >>>>>>> >>>>>>> >>>>>>> >>> -------------------------------------------------------------------------------- >>> >>>>>>> WISPA Wireless List: wireless@wispa.org >>>>>>> >>>>>>> Subscribe/Unsubscribe: >>>>>>> http://lists.wispa.org/mailman/listinfo/wireless >>>>>>> >>>>>>> Archives: http://lists.wispa.org/pipermail/wireless/ >>>>>>> >>>>>>> >>>>>> >>>>>> >>> -------------------------------------------------------------------------------- >>> >>>>>> WISPA Wants You! Join today! >>>>>> http://signup.wispa.org/ >>>>>> >>>>>> >>> -------------------------------------------------------------------------------- >>> >>>>>> WISPA Wireless List: wireless@wispa.org >>>>>> >>>>>> Subscribe/Unsubscribe: >>>>>> http://lists.wispa.org/mailman/listinfo/wireless >>>>>> >>>>>> Archives: http://lists.wispa.org/pipermail/wireless/ >>>>>> >>>>> >>>>> >>>>> >>> -------------------------------------------------------------------------------- >>> >>>>> WISPA Wants You! Join today! >>>>> http://signup.wispa.org/ >>>>> >>>>> >>>>> >>> -------------------------------------------------------------------------------- >>> >>>>> WISPA Wireless List: wireless@wispa.org >>>>> >>>>> Subscribe/Unsubscribe: >>>>> http://lists.wispa.org/mailman/listinfo/wireless >>>>> >>>>> Archives: http://lists.wispa.org/pipermail/wireless/ >>>>> >>>>> >>>> >>>> >>> -------------------------------------------------------------------------------- >>> >>>> WISPA Wants You! Join today! >>>> http://signup.wispa.org/ >>>> >>>> >>> -------------------------------------------------------------------------------- >>> >>>> WISPA Wireless List: wireless@wispa.org >>>> >>>> Subscribe/Unsubscribe: >>>> http://lists.wispa.org/mailman/listinfo/wireless >>>> >>>> Archives: http://lists.wispa.org/pipermail/wireless/ >>>> >>>> >>> >>> -------------------------------------------------------------------------------- >>> WISPA Wants You! Join today! >>> http://signup.wispa.org/ >>> >>> -------------------------------------------------------------------------------- >>> >>> WISPA Wireless List: wireless@wispa.org >>> >>> Subscribe/Unsubscribe: >>> http://lists.wispa.org/mailman/listinfo/wireless >>> >>> Archives: http://lists.wispa.org/pipermail/wireless/ >>> >>> >> >> >> -------------------------------------------------------------------------------- >> WISPA Wants You! Join today! >> http://signup.wispa.org/ >> -------------------------------------------------------------------------------- >> >> WISPA Wireless List: wireless@wispa.org >> >> Subscribe/Unsubscribe: >> http://lists.wispa.org/mailman/listinfo/wireless >> >> Archives: http://lists.wispa.org/pipermail/wireless/ >> >> >> >> > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
