SOLVED: Added LTE interface now ping and traceroute timeout

Hi,

I’ve added a 4G LTE USB to my router which I plan to use as a fail over.
Since doing so I’ve noticed ping and tracerouter now timeout directly from the terminal, ping/trace works OK from PC’s on the network.

Here’s the route list

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          120.148.AAA.BBB           1
 1  DS  0.0.0.0/0                          192.168.8.1               2
 2 ADC  10.0.10.0/24       10.0.10.1       vlan10_Guest              0
 3 ADC  10.0.20.0/24       10.0.20.1       vlan20_DNSProxy           0
 4 ADC  10.0.30.0/24       10.0.30.1       vlan30_Kids               0
 5 ADC  10.0.40.0/24       10.0.40.1       vlan40_CCTV               0
 6 ADC  120.148.AAA.0/17   120.148.AAA.BBB ether1-WAN                0
 7 ADC  192.168.8.0/24     192.168.8.100   lte1                      0
 8 ADC  192.168.100.0/24   192.168.100.254 bridge                    0

Sample traceroute

[admin@MikroTik] > tool traceroute www.google.com
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS                        
 1                                  100%    2 timeout                                                               
 2                                  100%    1 timeout                                                               
 3                                  100%    1 timeout                                                               
 4                                  100%    1 timeout                                                               
 5                                  100%    1 timeout

Any ideas what may be wrong?

Thanks

I’ve disabled the “LTE” interface, the route has disappeared, and I’m still having issues with ping/traceroute.
So it “may” not be related to the LTE device, any ideas?

Thanks!

Related to your primary:

0 ADS  0.0.0.0/0                          120.148.AAA.BBB           1
1  DS  0.0.0.0/0                          192.168.8.1               2

So the default route goes your your primary: “ADS” → Active

Thanks, but whats would be the cause of the ping and traceroute failing?

Cheers

as pc’s can ping, it’s not the network. Most likely local configuration.

So where should I be looking to fix the local configuration?
Thanks

firewall, routing, … list your config, maybe somebody will spot the issue: /export hide-sensitive compact

btw, traceroute != ping, it’s using different protocol, try actual ping as well
see https://en.wikipedia.org/wiki/Traceroute

Thanks, here’s the details.

# jan/30/2019 09:42:28 by RouterOS 6.43.8
# software id = UUZ2-Z8I4
#
# model = RouterBOARD 3011UiAS

Ping Results

[admin@MikroTik] > ping google.com
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                     
    0 172.217.25.46                                           timeout                                                                                    
    1 172.217.25.46                                           timeout                                                                                    
    2 172.217.25.46                                           timeout                                                                                    
    3 172.217.25.46                                           timeout                                                                                    
    4 172.217.25.46                                           timeout                                                                                    
    5 172.217.25.46                                           timeout                                                                                    
    6 172.217.25.46                                           timeout                                                                                    
    7 172.217.25.46                                           timeout                                                                                    
    8 172.217.25.46                                           timeout                                                                                    
    9 172.217.25.46                                           timeout                                                                                    
    sent=10 received=0 packet-loss=100%

My guess: the order of the following firewall rules is wrong:

add action=drop chain=input comment="Drop Ping from WAN" in-interface=ether1-WAN protocol=icmp
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp protocol=icmp
add action=accept chain=input comment="defconf: accept established,related"  connection-state=established,related

The last one should be before the first one … ICMP echo reply is related to ICMP echo request … but firewall is dropping those due to general first rule.

As to the traceroute … it really depends on implementation of a particular traceroute programme. But with any protocol, other than ICMP (UDP, TCP), used to probe hops, it needs to receive “ICMP TIME_EXCEEDED” reply from each router on the path. If you forbid all ICMP traffic, traceroute won’t receive any of those TIME_EXCEEDED replies. And ICMP TIME_EXCEEDED are probably not taken as related to whatever IP connection tried/established, so reordering of above rules won’t help with traceroute.

It seems that anti-ICMP frenzy doesn’t really help securing firewalls (hackers have plenty of other ways to find a target), but blocks a few essential internet functionalities.

BTW, default ROS firewall has

/ip firewall filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"

as third filter rule (after accepting established,related and dropping invalid).

Thank you very much!!! That did the trick, ping and traceroute are now working correctly!