Equipment Support > Hardware By Brand > Efficient > How to make the 5200 pingable?

How to make the 5200 pingable?

5200 Router or 5200 Bridge unit?

Regards,

Doctor Olds

5200 Router...the router guide off of Efficient's site wasn't too helpful to me either

Re: How to make the 5200 pingable?

Good find (I missed that one). It's newer than the one I posted. Thank you.

Back to your question, I'd say the firewall needs to be set to Low and try that first.

This link to the manual »kb.efficient.com/article.asp?art···31&p=351 works all the time if you don't have a session cookie from the Efficient KB already.

Regards,

Doctor Olds
--
Starfire is The Future Now! Clarke's Third Law: "Any sufficiently advanced technology is indistinguishable from magic."
[text was edited by author 2003-05-29 04:05:26]

Well, the firewall has been on low (it's default setting) and I've even turned the firewall off completely and still no difference...maybe I'll try playing around with custom filters later on.

Same negative result (so far) here with the 5200 Router not being pingable and Tracert (Trace Route) is broken too (just like the 5660).

Regards,

Doctor Olds

reply to buggage
Well i found a web site that show how to make the tracert and ping works fine on 5200 routers. Te site is in brazilian portuguese, but its easy to figure out what to do. The url is »www.5200router.kit.net/tracert.htm

regards..

Web site doesn't seem to be working...

Hi, I am from Brazil. And some countries are not allowed to conect to this service provider "kit.net" where this related website is hosted. Try to use the anonymizer.com before connecting to the site.

Still doesn't work since the page is BLOCKED at »anonymizer.com. I even tried »www.guardster.com and the page is not responding to request there either.

Regards,

Doctor Olds
--
Starfire is The Future Now! Clarke's Third Law: "Any sufficiently advanced technology is indistinguishable from magic."
[text was edited by author 2003-07-10 12:30:19]

reply to buggage
Do a search on google for proxy .br

I managed to find a proxy from brazil and was able to connect to the webpage.

You can also try this proxy: 200.171.33.245:8080

reply to Doctor Olds
I know that you cannot open that site if you are out of Brazil, so probably anonymizer.com also has trouble connecting there.

Anyway, their solution is:

1) Keep Firewall setting at "Low"
2) Create a Port Forwarding rule to forward all ICMP traffic back to your computer:
- Open the router admin interface in your browser, go to Setup/Port Forwarding
- In the Add/Edit Entry area, select ICMP in the "Select Protocol" combo box, select "Redirect selected protocol/service to IP Address" and enter the (reserved) IP address of your computer
- Click Apply

This is know ot work for ICMP packets in traceroutes and should work for pings too. Anyway, I consider this to be a rather insecure solution, because the 5200 will simply send all ICMP packets to your computer and there is a chance that someone can play a DOS attack against you using ICMP host/net unreachable packets (yes, I'm a bit paranoid).
A better solution would require changing the firewall mode to "Custom" and create a specific rule to allow only the desired ICMP packets t ocome in, such as echo request/echo reply (used in ping) and time exceeded (used in traceroute). If I have some extra time in the weekend I can try to figure out a solution like this and post the results.

Regards,
--
Major Grubert

After a few hours of testing, I found a more secure way to let a 5200 router answer to pings from the outside. This is a report of how I did it. I can't be sure it will work for everybody, YMMV, so read all the instructions and proceed with care.

First of all, my 5200 is a 060-E240-01X model with bridge/router firmware. It's working as a router, with a PPPoE connection, dynamic IP address and NAPT. The following setup is working for the speed and line quality tests in this site and also for traceroute. It involves changing the default firewall mode fo the router and I am not sure that it won't prevent any other program from running, such as IM clients that rely on inbound datagrams. I did not perform extensive tests with such programs.

It is also worth mentioning that this configuration is entirely based on tests I made with the Line Quality tests at this site. I did not have access to other computers in order to generate pings or any other kind of traffic for testing. Anyway, I am very happy with the results.

From all my tests, I believe that it is not possible to configure the 5200 to answer pings by itself when doing NAPT. It seems to work in a different way from all the routers I've used before, so the only solution I found involves using a port forwarding rule to send inbound ICMP traffic to a computer behind the router. Since this can be seen as a security problem (read my earlier post), I added a custom filter to block all types of ICMP packets except Echo Request, Echo Reply and Time Exceeded. The first and second ones are used in pings, the last one is returned by routers when you do a traceroute.

Now, the good stuff, step by step:
1) Go to the Setup/Firewall/Level page of the router interface and set the Firewall Level to "Custom".
2) Go to Setup/Firewall/IP Filter Rules page and create a new rule with the following parameters:
- Rule no: 100
- Access: Deny
- Direction: Inbound
- (optional) Select "Create a log entry..."
- Source:
- Network interface: any WAN Interface
- Any IP address
- Destination:
- Network interface: any WAN Interface
- Any IP address
- Protocol Definition: Select by name: ICMP
- ICMP Options: select all *except* Echo Request, Echo Reply and Time Exceeded
Click Apply to create the rule.
3) Go to the Setup/Port Forwarding page and add an entry:
- Select Protocol: ICMP
- Redirect select protocol/service to IP address: enter the internal IP address of your computer
Click Apply to add the entry.
4) Go back to Setup/Firewall/IP Filter Rules page and check that a fifth rule was added. This rule will permit ICMP traffic to your computer and it should be marked as "P,E,N". It is created by the port forwarding entry and cannot be edited in this page.

Now test the new setup. The rule created in step (2) will only let pings requests and traceroute answers to reach your internal network, and the port forwarding rule will provide the address translation through NAPT, in order to make your computer answer to those packets.

A few extra comments: remember that your computer will answer the pings and not the router, so if you want the Line Monitor test to work you have to keep your computer on. Also note that this IP filter rule may prevent some valid ICMP packets from reaching your computer. The most important ones would be Unreachable packets, used form other routers and firewalls to notify that a certain computer you want to connect to or an entire network cannot be reached.

Regards,
--
Major Grubert

reply to buggage
His way is a little bit easier, it's just a "Port Forward".
»www.abusar.org/manuais/5200/tracert.html
No kit.net anymore
It's worth taking a look at the rest of this how-to. Maybe you can use some kind of translator.
»www.abusar.org/manuais/5200/ this is the root of the tutorial
The guy told me that he may write that in English some day.

Thank you.

reply to buggage
Thereis another way to allow pings without forcing your puter to be on all the time..

Install a CHEAP DUMMY router on the network. Set it's IP to static. It'll always respond although If someone crashes it you can just reboot it.

It won't hurt to have the router on all the time. just make sure only ICMP packets can get sent to it. It's also wise to add those deny rules

reply to buggage
I wish someione would make this sticky it is VERY USEFUL...

I won't be making it sticky, but if enough people voted the thread up, would consider adding it to the links at the top of the forum.