I’ve been playing with a little lab network of Mikrotik routers and frequently ran traceroutes through this network. Every now and then I saw drops in my traceroutes like:
traceroute to dn.se (62.119.189.4), 64 hops max, 40 byte packets
1 10.0.0.1 0 ms * 0 ms
2 10.1.0.2 0 ms 0 ms 0 ms
3 10.3.0.1 1 ms 1 ms 1 ms
...
After a lot of googleing I found that this is rather common and is caused because the Linux kernel is ratelimiting the number of ICMP packets it sends. This is configured through the following proc values:
/proc/sys/net/ipv4/icmp_ratelimit
On my new Linux systems this value is set to 1000 which causes the same kind of problem as the Mikrotik routers do. Decreasing this value to 100 solves the problem for normal traceroute usage.
I know this feature is there to protect from DoS attacks, but having the ratelimit so strict that it affects normal day usage of traceroute reasonable I think.
So, my question is, how do I change this value on RouterOS so I can run a series of normal traceroutes through it without drops? I don’t want to have to explain to every user that start sending complaints about packet loss though our routers/firewalls where there are no problem.
This can easily be repeated by running a series of traceroutes which finish fast after each other, or by increasing the number of packets sent for each hop. Like with linux traceroute:
root@mathias-laptop:/home/mathias# traceroute -n -q 10 dn.se
traceroute to dn.se (62.119.189.4), 64 hops max, 40 byte packets
1 10.0.0.1 0 ms 0 ms 0 ms 0 ms 0 ms * 0 ms 0 ms 0 ms *
2 10.1.0.2 1 ms 0 ms 0 ms 0 ms 0 ms 0 ms 0 ms 0 ms 0 ms 0 ms
3 10.3.0.1 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms * 1 ms 1 ms 1 ms
4 10.4.0.2 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms * 1 ms 1 ms 1 ms
...
That way you will get 1-2 drops per Mikrotik hop. Line 2 is a old Netscreen FW that does not seem to enforce this kind of ratelimiting.