BGP & ICMP

Krisken · May 6, 2015, 8:43am

We do BGP with our uplink provider ISP (Belgacom), and we always see 2x “request timed out” in a traceroute. The first time it’s our ISP, but the second time it’s the routerboard.

So how can i set the routerboard so that it answer when we do a traceroute?

Traceroute to a server behind the routerboard

  1    <1 ms    <1 ms    <1 ms  192.168.255.1
  2    12 ms     8 ms     8 ms  d54c6b001.access.telenet.be [84.198.176.1]
  3    14 ms     8 ms    12 ms  dd5e0cc91.access.telenet.be [213.224.204.145]
  4    11 ms    13 ms    13 ms  dd5e0fa46.access.telenet.be [213.224.250.70]
  5    12 ms    14 ms    17 ms  skynet.bnix.net [194.53.172.81]
  6    16 ms    12 ms    18 ms  lag-26-1000.iprmar1.isp.belgacom.be [91.183.246.140]
  7    12 ms    13 ms    13 ms  175.246-183-91.adsl-static.isp.belgacom.be [91.183.246.175]
  8     *        *        *     Request timed out. <---- our ISP
  9     *        *        *     Request timed out. <---- Routerboard
 10    19 ms    19 ms    17 ms  speedtest01.lok.teleweb.network [185.77.198.151]

When we do a traceroute to the ip of the routerboard, it answers…

  1    <1 ms    <1 ms    <1 ms  192.168.255.1
  2     9 ms     9 ms    10 ms  d54c6b001.access.telenet.be [84.198.176.1]
  3    11 ms     9 ms    12 ms  dd5e0c891.access.telenet.be [213.224.200.145]
  4    10 ms     9 ms    13 ms  dd5e0fa46.access.telenet.be [213.224.250.70]
  5    14 ms    15 ms    12 ms  skynet.bnix.net [194.53.172.81]
  6    13 ms    12 ms    13 ms  lag-26-1000.iprmar1.isp.belgacom.be [91.183.246.140]
  7    11 ms    19 ms    28 ms  175.246-183-91.adsl-static.isp.belgacom.be [91.183.246.175]
  8     *        *        *     Request timed out. <---- our ISP
  9    22 ms    18 ms    13 ms  ge0-1-1.rt01.be-9160-01.as48260.net [185.77.198.1] <---- Routerboard

BartoszP · May 6, 2015, 8:47am

Do you have all DNS and revDNS records for your IP and your’s ISP ?
“*” usually means that DNS could not be resolved for pinged address. How it looks like when you do it with IPs only ?

Krisken · May 6, 2015, 8:52am

I do have DNS and rDNS on these IP’s.
The traceroutes you see are traceroutes directly to the ip’s (185.77.198.151 for the first traceroute, and 185.77.198.1 for the second)

StubArea51 · May 6, 2015, 1:21pm

If your DNS is solid, do you have any firewall rules that could be filtering ICMP?

Krisken · May 6, 2015, 1:37pm

There are (at this moment!) no firewall rules set.

roadracer96 · May 7, 2015, 12:35am

The ISP isn’t announcing the peering ips most likely.

Krisken · May 7, 2015, 10:30am

The Mikrotik is announcing the IP range

wildbill442 · May 7, 2015, 3:56pm

Can those hops be pinged individually from inside / outside your AS? Do you know the IP’s of those hops?

It sounds like something (ISP) is filtering ICMP on those hops, or like road racer indicated the subnet between you and the ISP isn’t announced, which, is independent from your announcement.

roadracer96 · May 8, 2015, 1:38am

I meant the ips between you and them. The /30 between you is peeled off of a latger subnet that they might not announce.

ZeroByte · May 8, 2015, 12:33pm

I wonder if the ISP is filtering ICMP unreachable messages from their own IP range.

Try doing the traceroute to the routerboard, but use its link IP address facing the ISP, and not the .1 from your own network range. If that also fails, the ISP is almost certainly filtering messages with sources from inside their address range.