ping works, traceroute not

mutluit · February 4, 2025, 4:58pm

Hi,
on my MikroTik LTE6 router device ( https://mikrotik.com/product/hap_ax_lite_lte6 ) the following error with traceroute happens.
I’ve also disabled all firewall rules (except the built-in 0th rule) and it still does not work.
This cannot be a provider issue as on the other router (non-MT) which connects to the same WISP, traceroute just works fine.
Any ideas how to fix this problem? :

[userX@MikroTik] /ip/firewall/filter> /ping 8.8.8.8                     
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                    
    0 8.8.8.8                                    56 112 47ms987us 
    1 8.8.8.8                                    56 112 47ms879us 
    2 8.8.8.8                                    56 112 46ms946us 
    3 8.8.8.8                                    56 112 36ms913us 
    4 8.8.8.8                                    56 112 37ms265us 
    sent=5 received=5 packet-loss=0% min-rtt=36ms913us avg-rtt=43ms398us max-rtt=47ms987us 

[userX@MikroTik] /ip/firewall/filter> /tool/traceroute 8.8.8.8     
Columns: LOSS, SENT, LAST
#  LOSS  SENT  LAST   
1  100%     1  timeout
2  100%     1  timeout
3  100%     1  timeout
4  100%     1  timeout
5  100%     1  timeout
6  100%     1  timeout
7  100%     1  timeout
8  0%       1  0ms    

[userX@MikroTik] /ip/firewall/filter> /system/routerboard/print 
       routerboard: yes
        board-name: hAP ax lite LTE6
             model: L41G-2axD&FG621-EA
     serial-number: XXX
     firmware-type: ipq5000
  factory-firmware: 7.15.2
  current-firmware: 7.15.2
  upgrade-firmware: 7.16.1

infabo · February 4, 2025, 5:04pm

your ISP maybe filters ICMP replies. your firewall filter does not have any drop rules on input chain i assume right?

/ip/firewall/filter/export

mutluit · February 4, 2025, 5:13pm

As said, I’ve disabled all firewall rules and it still does not work:

[userX@MikroTik] /ip/firewall/filter> disable 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
[userX@MikroTik] /ip/firewall/filter> export
# 2025-02-04 12:41:03 by RouterOS 7.16.1
# software id = Y028-72I4
#
# model = L41G-2axD&FG621-EA
# serial number = XXX
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=accept chain=output disabled=yes protocol=icmp
add action=accept chain=output disabled=yes icmp-options=11:0-255 protocol=icmp
add action=accept chain=forward disabled=yes protocol=icmp
add action=accept chain=forward disabled=yes icmp-options=11:0-255 protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input disabled=yes src-address-list=block
add action=drop chain=output disabled=yes dst-address-list=block
add action=drop chain=forward disabled=yes src-address-list=block
add action=drop chain=forward disabled=yes dst-address-list=block

[userX@MikroTik] /ip/firewall/filter> /ping 8.8.8.8
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                    
    0 8.8.8.8                                    56 112 47ms340us
    1 8.8.8.8                                    56 112 47ms992us
    2 8.8.8.8                                    56 112 46ms648us
    3 8.8.8.8                                    56 112 47ms433us
    sent=4 received=4 packet-loss=0% min-rtt=46ms648us avg-rtt=47ms353us max-rtt=47ms992us

[userX@MikroTik] /ip/firewall/filter> /tool/traceroute 8.8.8.8
Columns: LOSS, SENT, LAST
#  LOSS  SENT  LAST
1  100%     1  timeout
2  100%     1  timeout
3  100%     1  timeout
4  100%     1  timeout
5  100%     1  timeout
6  100%     1  timeout
7  100%     1  timeout
8  0%       1  0ms

wispmikrotik · February 4, 2025, 5:26pm

Hi,

Try /tool/traceroute protocol=icmp 8.8.8.8

Regards,

mutluit · February 4, 2025, 5:30pm

With disabled firewall rules, as before:

[userX@MikroTik] /ip/firewall/filter> /tool/traceroute protocol=icmp 8.8.8.8
Columns: LOSS, SENT, LAST
#  LOSS  SENT  LAST   
1  100%     1  timeout
2  100%     1  timeout
3  100%     1  timeout
4  100%     1  timeout
5  100%     1  timeout
6  0%       1  0ms

wispmikrotik · February 4, 2025, 5:34pm

Hi,

Try protocol=udp

Can you test the LAN ip with src-addres? both ping and traceroute?

/ping 8.8.8.8 src-address=<IP_LAN>
/tool/traceroute scr-address=<IP_LAN> 8.8.8.8

Regards,

mutluit · February 4, 2025, 5:42pm

ping works with all IPs, LAN and WAN.
traceroute works only with icmp (not udp) and in LAN, but not WAN :

[userX@MikroTik] /ip/firewall/filter> /ping 192.168.88.9                         
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                    
    0 192.168.88.9                               56  64 567us     
    1 192.168.88.9                               56  64 474us     
    2 192.168.88.9                               56  64 450us     
    3 192.168.88.9                               56  64 562us     
    sent=4 received=4 packet-loss=0% min-rtt=450us avg-rtt=513us max-rtt=567us 

[userX@MikroTik] /ip/firewall/filter> /tool/traceroute protocol=icmp 192.168.88.9
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
#  ADDRESS       LOSS  SENT  LAST   AVG  BEST  WORST  STD-DEV
1  192.168.88.9  0%       9  0.4ms  0.5  0.4   0.5          0

[userX@MikroTik] /ip/firewall/filter> /tool/traceroute protocol=udp 192.168.88.9    
Columns: LOSS, SENT, LAST
#  LOSS  SENT  LAST   
1  100%     1  timeout
2  100%     1  timeout
3  100%     1  timeout
4  100%     1  timeout
5  0%       1  0ms    

[userX@MikroTik] /ip/firewall/filter> /ping 8.8.8.8 src-address=192.168.88.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                    
    0 8.8.8.8                                    56 112 47ms566us 
    1 8.8.8.8                                    56 112 36ms980us 
    2 8.8.8.8                                    56 112 36ms823us 
    3 8.8.8.8                                    56 112 45ms194us 
    4 8.8.8.8                                    56 112 38ms506us 
    5 8.8.8.8                                    56 112 37ms138us 
    sent=6 received=6 packet-loss=0% min-rtt=36ms823us avg-rtt=40ms367us max-rtt=47ms566us 

[userX@MikroTik] /ip/firewall/filter> /tool/traceroute src-address=192.168.88.1  8.8.8.8
Columns: LOSS, SENT, LAST
#  LOSS  SENT  LAST   
1  100%     1  timeout
2  100%     1  timeout
3  100%     1  timeout
4  100%     1  timeout
5  0%       1  0ms    

[userX@MikroTik] /ip/firewall/filter> /tool/traceroute src-address=192.168.88.1  192.168.88.9        
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
#  ADDRESS       LOSS  SENT  LAST   AVG  BEST  WORST  STD-DEV
1  192.168.88.9  0%       9  0.5ms  0.5  0.4   0.5          0

WeWiNet · February 4, 2025, 6:09pm

If traceroute does work from a connected device (forward chain), but not from the router itself (input/output chain), is should be a problem with mangle or firewall rules.

If that is really not the issue, maybe try to increase the TTL on traceroute packets coming through on forward chain to see if then the client traceroute gets also blocked by the carrier…

mutluit · February 4, 2025, 6:25pm

On PC (Debian Linux) traceroute testing works “halfways”.
It goes thru the same above MT router :

# traceroute -4 -I  8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  router.lan (192.168.88.1)  0.366 ms  0.418 ms  0.408 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  dns.google (8.8.8.8)  47.214 ms  47.207 ms  35.701 ms

Is maybe a surveillance/spying tool of $BIGBROTHER disturbing the traffic?..

mutluit · February 4, 2025, 6:42pm

You are right, starting with a high TTL solves the problem! At least on the attached devices (ie. PCs).
The param “-f 25” of traceroute does the trick:

# man traceroute
       -f first_ttl, --first=first_ttl
              Specifies with what TTL to start. Defaults to 1.

# traceroute -4 -I -f 25   8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
25  dns.google (8.8.8.8)  46.944 ms * *

But the above solution lacks the displying of the gateway (which is equally important for my use-case).
So then the “halfway” solution using the default -f 1 is still better, IMO:

# traceroute -4 -I   8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  router.lan (192.168.88.1)  0.348 ms  0.347 ms  0.629 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  dns.google (8.8.8.8)  49.302 ms  49.295 ms  35.928 ms

CGGXANNX · February 5, 2025, 12:29am

Did you, by chance, apply similar TTL mangle workaround for LTE like this?

https://help.mikrotik.com/docs/spaces/ROS/pages/30146563/LTE#LTE-Avoidingtetheringspeedthrottling

If yes, then it will interfere with traceroute.

But it rather looks like to me that your ISP is simply blocking ICMP TTL time exceeded packets.

mutluit · February 7, 2025, 7:54pm

Nope, I’ve just the default settings there, as shown below.
As already said, these two SIM cards are from the same wireless ISP.
When going over the MikroTik router that said traceroute/lft error occurs, but not when going over the other router (Non-MT).

[userX@MikroTik] /ip/firewall/mangle> print          
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

[userX@MikroTik] /ipv6/firewall/mangle> print 
Flags: X - disabled, I - invalid; D - dynamic