MajorGrubert
join:2003-07-08
Brazil
| reply to MajorGrubert
Re: How to make the 5200 pingable?
After a few hours of testing, I found a more secure way to let a 5200 router answer to pings from the outside. This is a report of how I did it. I can't be sure it will work for everybody, YMMV, so read all the instructions and proceed with care.
First of all, my 5200 is a 060-E240-01X model with bridge/router firmware. It's working as a router, with a PPPoE connection, dynamic IP address and NAPT. The following setup is working for the speed and line quality tests in this site and also for traceroute. It involves changing the default firewall mode fo the router and I am not sure that it won't prevent any other program from running, such as IM clients that rely on inbound datagrams. I did not perform extensive tests with such programs.
It is also worth mentioning that this configuration is entirely based on tests I made with the Line Quality tests at this site. I did not have access to other computers in order to generate pings or any other kind of traffic for testing. Anyway, I am very happy with the results.
From all my tests, I believe that it is not possible to configure the 5200 to answer pings by itself when doing NAPT. It seems to work in a different way from all the routers I've used before, so the only solution I found involves using a port forwarding rule to send inbound ICMP traffic to a computer behind the router. Since this can be seen as a security problem (read my earlier post), I added a custom filter to block all types of ICMP packets except Echo Request, Echo Reply and Time Exceeded. The first and second ones are used in pings, the last one is returned by routers when you do a traceroute.
Now, the good stuff, step by step:
1) Go to the Setup/Firewall/Level page of the router interface and set the Firewall Level to "Custom".
2) Go to Setup/Firewall/IP Filter Rules page and create a new rule with the following parameters:
- Rule no: 100
- Access: Deny
- Direction: Inbound
- (optional) Select "Create a log entry..."
- Source:
- Network interface: any WAN Interface
- Any IP address
- Destination:
- Network interface: any WAN Interface
- Any IP address
- Protocol Definition: Select by name: ICMP
- ICMP Options: select all *except* Echo Request, Echo Reply and Time Exceeded
Click Apply to create the rule.
3) Go to the Setup/Port Forwarding page and add an entry:
- Select Protocol: ICMP
- Redirect select protocol/service to IP address: enter the internal IP address of your computer
Click Apply to add the entry.
4) Go back to Setup/Firewall/IP Filter Rules page and check that a fifth rule was added. This rule will permit ICMP traffic to your computer and it should be marked as "P,E,N". It is created by the port forwarding entry and cannot be edited in this page.
Now test the new setup. The rule created in step (2) will only let pings requests and traceroute answers to reach your internal network, and the port forwarding rule will provide the address translation through NAPT, in order to make your computer answer to those packets.
A few extra comments: remember that your computer will answer the pings and not the router, so if you want the Line Monitor test to work you have to keep your computer on. Also note that this IP filter rule may prevent some valid ICMP packets from reaching your computer. The most important ones would be Unreachable packets, used form other routers and firewalls to notify that a certain computer you want to connect to or an entire network cannot be reached.
Regards,
--
Major Grubert |
