Community discussions

MikroTik App
 
User avatar
netzwerghh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Sun Aug 07, 2011 4:23 pm
Location: Hamburg, DE
Contact:

TTL exceeded ICMP reply should come from IP of interface the packet entered the router instead of leaving interface IP

Mon May 30, 2022 11:50 pm

I came across a strange issue when doing some traceroutes through, from and to our network. With multiple upstreams and BGP there is often asymetric routing because my routing policy towards an external network might be different than the policy of that network towards me. This might lead to ICMP packets for traceroutes enter a router through ether1, reaches it's max TTL there but the reply has to be send through ether2 because that might be the best path back. In RouterOS 7.2.3 this leads to the behavior that the IP adress of the reply is not the IP adress of the interface the ICMP-packet entered the router but the IP adress of the interface it leaves. Sound irrelevant but that way I have interfaces in the traceroute the original packet never traveled through. This is at least confusing.

Example:
Unbenannt.PNG
Because of stupid routing policy a host in the internet sends packets in our network through provider connected to RTR01 but our routing policy says IXP connected to RTR02 is the better path back. So packets to RTR03 will travel 203.0.113.2 -> 192.0.2.2 -> 192.0.2.6 and the replies will travel 192.0.2.6 -> 192.0.2.5 -> 198.51.100.xxx. So traceroute from the internet should look:
  1     1 ms     2 ms    <1 ms  internet-host.someprovider.net [1.1.1.1]
  2     1 ms     2 ms    <1 ms  ether1.rtr01.mynetwork.net [203.0.113.2]
  3     1 ms     2 ms    <1 ms  ether1.rtr02.mynetwork.net [192.0.2.2]
  4     1 ms     2 ms    <1 ms  ether1.rtr03.mynetwork.net [192.0.2.6]
But actual traceroute looks:
  1     1 ms     2 ms    <1 ms  internet-host.someprovider.net [1.1.1.1]
  2     1 ms     2 ms    <1 ms  ether2.rtr01.mynetwork.net [192.0.2.1]
  3     1 ms     2 ms    <1 ms  mynetwork.peers.ixp.net [198.51.100.1]
  4     1 ms     2 ms    <1 ms  ether1.rtr03.mynetwork.net [192.0.2.6]
Can this please be changed? Asymetric traceroutes would be even more misleading if it stays the way it is now. This way it seems the packet leaves the network to the IXP while traveling through the network wich is not the case.
You do not have the required permissions to view the files attached to this post.
 
akw28888
just joined
Posts: 2
Joined: Mon Feb 17, 2020 5:39 am

Re: TTL exceeded ICMP reply should come from IP of interface the packet entered the router instead of leaving interface

Tue May 31, 2022 11:10 am

You can suggest them to enable icmp_errors_use_inbound_ifaddr on kernel.

It can solve your issue.
 
User avatar
netzwerghh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Sun Aug 07, 2011 4:23 pm
Location: Hamburg, DE
Contact:

Re: TTL exceeded ICMP reply should come from IP of interface the packet entered the router instead of leaving interface

Tue May 31, 2022 11:22 am

You can suggest them to enable icmp_errors_use_inbound_ifaddr on kernel.

It can solve your issue.
That sounds like a good idea. Or let this at least be an option to be configured.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: TTL exceeded ICMP reply should come from IP of interface the packet entered the router instead of leaving interface

Tue May 31, 2022 11:59 am

Not entirely clear whether complaint is that ROSv7 operates differently than ROSv6, or just source selection in general?
Regarding v6 and v7 difference behaviour is the same, source will be picked form the out interface.
Regarding what is the correct behaviour - it depends. We will consider adding this behaviour configurable.
 
User avatar
netzwerghh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Sun Aug 07, 2011 4:23 pm
Location: Hamburg, DE
Contact:

Re: TTL exceeded ICMP reply should come from IP of interface the packet entered the router instead of leaving interface

Tue May 31, 2022 1:45 pm

Not entirely clear whether complaint is that ROSv7 operates differently than ROSv6, or just source selection in general?
Regarding v6 and v7 difference behaviour is the same, source will be picked form the out interface.
Regarding what is the correct behaviour - it depends. We will consider adding this behaviour configurable.
Hi mrz,

thank you for your reply. If behaviour is the same between 6 and 7 then I didn't realized before. I would be fine it you add the possibilty to configure behaviour. Like always there might not be the one correct behaviour. So being able to choose is always good :-)

Who is online

Users browsing this forum: wawananakkaili and 22 guests