Solved

Pinging WAN IP address results in  "TTL expired in transit"

Posted on 2014-09-05
4
1,159 Views
Last Modified: 2014-09-13
My ISP provides a VDSL internet service and I'm using a modem that is configured to be in "bridge" mode. I recently signed up to have a block of static IP addresses with my ISP. They gave me a /30 block, lets call it xxx.xxx.xxx.240/30. So I have these IP addresses I can work with:

   xxx.xxx.xxx.240
   xxx.xxx.xxx.241
   xxx.xxx.xxx.242
   xxx.xxx.xxx.243

I'm using pfSense 2.0 as my router. I have a WAN interface configured as a PPPoE interface.  It gets the xxx.xxx.xxx.240 IP address dynamically. I then configured three "Virtual IPs" in the Firewall section for the other three IP addresses xxx.xxx.xxx.241, xxx.xxx.xxx.242 and xxx.xxx.xxx.243.

So far, everything works. I tested out a few NAT rules, and tested NAT reflection, everything works great!

I wanted to allow pinging the address, so I added a rule to the firewall to allow pinging from the outside world to the WAN IP address (xxx.xxx.xxx.240). Under FIrewall->Rules->WAN Tab, I added a rule to allow "ICMP echoreq" from Source: *, to Destination: WAN Address.

Applied this rule, and I  can now ping xxx.xxx.xxx.240, no problems!

So, I added another rule to the firewall to allow pinging xxx.xxx.xxx.241. I thought it work work the same as the first IP address.

Unfortunately, this doesn't work. When I ping that address, I get "TTL expired in transit".

So I tried running a tracert from a computer outside of my network. This is the result:

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2     *        *        *     Request timed out.

...

  6    25 ms    26 ms    23 ms  core1.nyc4.he.net [198.32.118.57]
  7    32 ms    23 ms    23 ms  100ge9-1.core1.tor1.he.net [184.105.80.10]
  8    21 ms    23 ms    24 ms  connex-internet-services-inc.10gigabitethernet3-
1.core1.tor1.he.net [209.51.161.222]
  9   133 ms   112 ms    71 ms  206.53.61.227
 10    29 ms    29 ms    29 ms  240.xxx.xxx.xxx.myispnamewashere.ca [xxx.xxx.xxx.240]
 11    30 ms    30 ms    33 ms  206.53.61.227
 12    34 ms    34 ms    35 ms  240.xxx.xxx.xxx.myispnamewashere.ca [xxx.xxx.xxx.240]
 13    36 ms    47 ms    34 ms  206.53.61.227
 14    44 ms    40 ms    41 ms  240.xxx.xxx.xxx.myispnamewashere.ca [xxx.xxx.xxx.240]
 15    41 ms    41 ms    41 ms  206.53.61.227
 16    47 ms    56 ms    47 ms  240.xxx.xxx.xxx.myispnamewashere.ca [xxx.xxx.xxx.240]
 17    46 ms    47 ms    47 ms  206.53.61.227
 18    52 ms    52 ms    53 ms  240.xxx.xxx.xxx.myispnamewashere.ca [xxx.xxx.xxx.240]
 19    53 ms    54 ms    55 ms  206.53.61.227
 20    64 ms    62 ms    61 ms  240.xxx.xxx.xxx.myispnamewashere.ca [xxx.xxx.xxx.240]
 21    61 ms    59 ms    60 ms  206.53.61.227
 22    65 ms    64 ms    66 ms  240.xxx.xxx.xxx.myispnamewashere.ca [xxx.xxx.xxx.240]
 23    67 ms    66 ms    65 ms  206.53.61.227
 24    73 ms    71 ms    71 ms  240.xxx.xxx.xxx.myispnamewashere.ca [xxx.xxx.xxx.240]
 25    73 ms    78 ms    73 ms  ^C

Open in new window



So.... it's hitting my .240 address, and looping around somehow. Does anyone know what's going on?
0
Comment
Question by:Frosty555
  • 2
4 Comments
 
LVL 3

Expert Comment

by:ebad-it
Comment Utility
Hi,

Sounds to me you don't have a static route to those other segments.  I'll look at my router tomorrow and see what I did for mine.

Good Luck!
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 500 total points
Comment Utility
I'm surprised that you were able to add the 2 addresses on the firewall. More surprised that you were able to assign .240 address with a /30 notation on an interface.
From your statement above, you have x.x.x.240 /30 address meaning Your network ID is x.x.x.240 and your broadcast address is x.x.x.243. The only available addresses to use are x.x.x.241 and 242. I'm curious to find out what your gateway on the ISP side is.

/30 addresses are point to point links

Something is not adding up.

Well, with that mystery aside, you should check your route statements. The issue is on 240.x.x.x because that's where the route loop started from. Check that the default gateway (default route) is not 0.0.0.0 0.0.0.0 206.56.61.227 (that's what it seems like to me)
TTL decreases as it hits a routable interface (decrements by 1) The two routers are bouncing traffic betwen themselves and the TTL eventually becomes 0 and the traffic stops. without ttl, the madness would go on forever.

Again, check the route statements or route map on the 240.x.x.x router. That's where the problem is
0
 
LVL 31

Author Comment

by:Frosty555
Comment Utility
Akinsd,

Yeah I agree with you - they advertised it as 2x static IP addresses, they said it was a /30 block, customer support suggested that the available addresses should be .241 and .242, and yet when I got the invoice it has a line item titled "4 IPs (/30 subnet) $5/month", the PPPoE interface in pfSense gets the .240 address as it's first address, and I can do NAT on all four IPs , .240, .241, 242 and 243 without any difficulty. The customer service for my ISP is pretty weak, so you have to take everything they say with a grain of salt.

So you're right, something doesn't add up, and my guess is that what the ISP is calling  "/30" block is referring to something different than what you and I are used to.

And indeed, the gateway on the ISP side, as provided by the PPPoE interface, is 206.53.61.227, Subnet mask is 255.255.255.255. The first three stanzas of that IP address are significantly different from the static IPs that have been assigned to me.

Okay so you put me on the right path, I checked in Diagnostics->Routes and I could see that only the .240 address was listed in the routing table. Meaning my pfSense router was sending packets destined for xxx.xxx.xxx.241 right back out to the ISP's gateway, who sent the packets right back to me, and they went back and forth until the TTL expired.

I went back into the Virtual IP Address section, and almost by accident, I set the "Interface" to be "LAN" instead of WAN.

After I did that, I was able to ping the address properly, and the NAT is still working.

That seems weird to me. I thought the interface for this virtual IP ought to be WAN. Does that sound right to you?
0
 
LVL 18

Accepted Solution

by:
Akinsd earned 500 total points
Comment Utility
You may be able to configure NAT on the four IPS but only 1 of them is beneficial to you.
240 is your network identifier and 243 is your broadcast address. Neither of this can be configured on a host. They are valid IPs but they assume specific roles.
I understand the ISP biling for 4 addresses. 240 and 243 are still IP addresses. 241 is on your interface which most likely connects to a modem .242 Those accounts for your 4 addresses but the only one you can NAT to is the 241 in overload mode.

Your connection to the ISP is technically a WAN connection but in reality, it is a LAN. Your router is connecting to a modem which connects to the ISP. Meaning your direct connection to the modem is a LAN.

WANs are generally used on Serial Ports connecting to ATM, Frame Relay, MPLS etc. You are not directly connected to those, therefore, your connection is a LAN.

I hope that helps
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now