dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8178
share rss forum feed


Viso

@optonline.net

OOL blocking ICMP Ports

I called the Help Desk and asked them why. I spent over 2 hours just explaining what was wrong. The agent kept asking "Can you get online?" Yes..I said..Im getting HTTP fine. "What exactly is the problem then?" He kept saying "We don’t block any ports" but could not explain why I wasn’t able to pass ICMP. His "Team Leader" just spouted the same thing. They even went so far as to stream to my desktop and watch me pass HTML and FTP but not be able to pass any pings. Their answer was.."We don’t block any ports" That wasn’t good enough for me. I run applications on my PC that require ICMP to be passed. They treated me like a jackass. I didn’t tell them I work for IBM. They told me that they were going to send a tech to my house to check the line but that if the tech couldn’t find anything I “would have to pay a service call fee” WTF is that? You start blocking ports..I tell you, you are blocking ports…you say your not contrary to all the things I have just told you..and your going to charge me a fee?? I just don’t get it.

Ok so the tech showed up at my house today, he was really helpful, and confirmed what I had told the help desk. He said he didn’t think they were blocking any ports but he would check. See he went one step further. He believed what I was telling him and checked. Well after 2 mins on the phone he got the answer that I told that help desk agent 3 days ago “Were blocking ICMP.” The lady wouldn’t say why or when they will stop blocking these ports. That leaves me stuck.

Now if Cablevision can’t secure its network why should I pay the price? I can’t use 20% of the applications that I use every day because Cablevision is worried about attacks. OK what does that have to do with me? I have to suffer because you all can’t get your shit together? My network is running all Microsoft products and is so frigin tight that I don’t have to worry about security. So you take functionality from the customer but don’t give anything back? If I only get 80% of the functionality from my OOL subscription shouldn’t I get a 20% rebate?

My question is why did you start blocking ports and when are you going to let me get back to my business.



GeekNJ
Premium
join:2000-09-23
Waldwick, NJ
Reviews:
·Optimum Online
·Verizon FiOS

Can you be specific... what is being blocked to/from you? There are known inbound blocked ports like 80, 8080 and some other well known proxy ports.

And do you have BOOL or residential OOL?
--
Have you tweaked your OOL connection?


plat2on1

join:2002-08-21
Hopewell Junction, NY
reply to Viso

so your mister big bad IBMer and you dont even know that ICMP is a protocol and not a port ?



Viso

@optonline.net

-1 recommendation

Where did I say ICMP was a port jackass?


plat2on1

join:2002-08-21
Hopewell Junction, NY

1 recommendation

reply to Viso

quote:
You start blocking ports..I tell you, you are blocking ports…you say your not contrary to all the things I have just told you..and your going to charge me a fee??
hmm.


Viso

@optonline.net
reply to Viso

Outbound ICMP is bieng blocked. I have OOL not BOOL.



Viso

@optonline.net

-1 recommendation

Again...where did I say ICMP was a port??

I said shutting ports was preventing ICMP from bieng passed. Damb before you critisize know WTF you are talking about.



GeekNJ
Premium
join:2000-09-23
Waldwick, NJ

Can you give an example of something that doesn't work? What command are you executing that isn't working?
--
Have you tweaked your OOL connection?



Viso

@optonline.net
reply to Viso

Its not a command that isnt working. Well you can bring it down to that level..for instance

Ping 4.2.2.1 gets request timed out e.g. the default gateway is not letting ICMP pass.

Its not that big a deal until you have an application that requires ICMP to funtion. I have several such applications that require ICMP for authentication. Without it the application does not function.



jaa
Premium
join:2000-06-13
kudos:2
Reviews:
·Vonage
·Optimum Online

Ping works fine for me - even to the address you specified.

Probably your firewall or router that is blocking it.
--
NOTHING justifies terrorism. We don't negotiate with terrorists. Those that support terrorists are terrorists.



GeekNJ
Premium
join:2000-09-23
Waldwick, NJ
Reviews:
·Optimum Online
·Verizon FiOS
reply to Viso

Maybe it's something specific to you, but certainly not to everyone. You can't ping something outside your own network? I know I can.

Have you made sure it's not something with your router by just placing 1 computer directly into the modem, resetting the modem and trying it? What is your CMTS? You can get it by going backwards and pinging to your IP address from outside using something like »www.tracert.com/cgi-bin/trace.pl

For example, here's mine:
traceroute to xxxxxxx.dyn.optonline.net (67.83.xxx.yyy) from 206.252.193.20: 1-30 hops, 38 byte packets
1 206.252.222.88 (206.252.222.88) 1.36 ms (ttl=64!) 1.29 ms (ttl=64!) 1.40 ms (ttl=64!)
2 198.32.160.20 (198.32.160.20) 1.57 ms (ttl=253!) 1.51 ms (ttl=253!) 1.89 ms (ttl=253!)
3 0095.gi4-7.msfc1.nyc.nac.net (64.21.102.6) 1.44 ms 2.18 ms 1.37 ms
4 0010.gi1-1.msfc1.tlw.nac.net (209.123.11.230) 1.98 ms 2.46 ms 2.26 ms
5 r2-ge9-2.in.nycmnyzr.cv.net (65.19.102.185) 1.95 ms 2.32 ms 1.79 ms
6 r1-srp1-0.wan.prnynj.cv.net (65.19.96.51) 4.64 ms 5.15 ms 5.96 ms
7 r3-srp-1-0.mhe.prnynj.cv.net (67.83.239.53) 4.44 ms 4.40 ms 3.77 ms
8 dstswr1-ge3-1.rh.wlwknj.cv.net (67.83.250.130) 5.81 ms 6.46 ms 5.30 ms
9 ubr103-fa1-0.cmts.wlwknj.cv.net (67.83.250.173) 15.3 ms 7.71 ms 7.15 ms
10 xxxxxxx.dyn.optonline.net (67.83.xxx.yyy) 21.3 ms (ttl=141!) 13.5 ms (ttl=141!) 13.8 ms (ttl=141!)
--
Have you tweaked your OOL connection?



Viso

@optonline.net
reply to jaa

No...As I said the technician called the office and the lady confirmed they were blocking ICMP. WHat is your default gateways IP address? Its probably different than mine.



jaa
Premium
join:2000-06-13
kudos:2
Reviews:
·Vonage
·Optimum Online

I find that very unlikely. The "lady" probably didn't understand you question or does not know what you are talking about.

Many things rely on ICMP - highly unlikely it is being blocked intentionally.
--
NOTHING justifies terrorism. We don't negotiate with terrorists. Those that support terrorists are terrorists.



Viso

@optonline.net
reply to Viso

I have put this PC to the top of my network and got an IP address on the PC and tried to ping, I could not, which indicates an outside problem. tracert is an ICMP command and I cannot get 1 hop away.

This is the ping output from outside the network to my IP address from the website you provided:

Ping Output
FROM www.his.com TO 24.185.167.65.

PING 24.185.167.65 (24.185.167.65): 56 data bytes

--- 24.185.167.65 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

So ICMP inbound is also bieng blocked at the gateway.



Bichon
Premium,MVM
join:2002-10-10
Freehold, NJ
reply to Viso

I agree with Geek and jaa. OOL doesn't block outbound ICMP. In fact, I can ping that 4.2.2.1 (One of Genuity's DNS resolvers) just fine.



Viso

@optonline.net
reply to Viso

Go ahead...try and ping me??? Tracert me and the last hop on the tracert before me will be 24.185.160.1 my default gateway which is not letting icmp pass. Then you will get timeout messages since no ICMP is bieng passed through the DG.



GeekNJ
Premium
join:2000-09-23
Waldwick, NJ
Reviews:
·Optimum Online
·Verizon FiOS
reply to Viso

If you run the tracert from outside in, it will show us your UBR and I'd like to see if we can ping into it to an IP or two on the other side.
--
Have you tweaked your OOL connection?



Viso

@optonline.net
reply to Viso

Tracert from outside DG to my IP address:

1 | router.136-128.inter (207.136.128.1) ( 0.497/ 0.790/ 1.360) 3/3 100.0%
2 | marina-peering (206.124.224.5) ( 0.998/ 1.080/ 1.123) 3/3 100.0%
3 | f37.ba01.b000899-0.l (66.28.21.13) ( 39.978/ 40.490/ 40.825) 3/3 100.0%
4 | g2-0.core01.lax04.at (66.28.6.241) ( 39.453/ 39.608/ 39.894) 3/3 100.0%
5 | p15-1.core01.lax01.a (66.28.4.201) ( 39.750/ 40.012/ 40.169) 3/3 100.0%
6 | p5-0.core01.san01.at (66.28.4.78) ( 40.169/ 40.704/ 41.566) 3/3 100.0%
7 | p6-0.core01.iah01.at (66.28.4.5) ( 48.636/ 83.463/ 146.721) 3/3 100.0%
8 | p5-0.core01.dfw01.at (66.28.4.97) ( 39.873/ 40.107/ 40.401) 3/3 100.0%
9 | p15-0.core02.dfw01.a (66.28.4.26) ( 39.573/ 40.085/ 40.674) 3/3 100.0%
10 | p15-0.core01.mci01.a (66.28.4.38) ( 48.874/ 49.708/ 50.536) 3/3 100.0%
11 | p5-0.core02.ord01.at (66.28.4.34) ( 59.289/ 59.764/ 60.345) 3/3 100.0%
12 | p6-0.core02.jfk02.at (66.28.4.85) ( 82.461/ 82.712/ 82.992) 3/3 100.0%
13 | p6-0.pr01.jfk05.atla (154.54.1.166) ( 134.618/ 135.072/ 135.974) 3/3 100.0%
14 | r3-ge2-2.in.nycmny83 (65.19.103.133) ( 129.911/ 131.370/ 132.646) 3/3 100.0%
15 | r2-srp1-1.in.nycmny8 (65.19.97.98) ( 126.278/ 127.821/ 129.733) 3/3 100.0%
16 | r1-srp13-0.wan.hcvln (65.19.96.49) ( 127.654/ 130.496/ 132.728) 3/3 100.0%
17 | r1-srp13-0.cr.hcvlny (167.206.12.97) ( 129.950/ 131.370/ 132.798) 3/3 100.0%
18 | r4-srp5-0.mhe.hcvlny (167.206.12.36) ( 132.736/ 132.845/ 133.021) 3/3 100.0%
19 | opti33-134.nassau.cv (167.206.33.134) ( 127.939/ 129.373/ 131.273) 3/3 100.0%
20 | ubr101-fe1-0.cmts.bb (167.206.33.165) ( 127.752/ 129.239/ 130.402) 3/3 100.0%
21 | * * ( -1.000/ -1.000/ -1.000) 0/3 0.0%
22 | * * ( -1.000/ -1.000/ -1.000) 0/3 0.0%

ICMP is bing blocked outbound and inbound to my segment



jaa
Premium
join:2000-06-13
kudos:2
Reviews:
·Vonage
·Optimum Online

reply to Viso

downloadping.zip 629 bytes
(ping.txt)
What your test shows is that device is not responding to ICMP ping request. It does not mean it is blocking them.

Here are some pings within my network and outside.

I guess it is possible that your cmts is blocking ICMP - I just find it very hard to believe.
Edit: Here are my pings:
C:\>ping yahoo.com

Pinging yahoo.com [66.218.71.198] with 32 bytes of data:

Reply from 66.218.71.198: bytes=32 time=100ms TTL=239

Reply from 66.218.71.198: bytes=32 time=90ms TTL=239

Reply from 66.218.71.198: bytes=32 time=90ms TTL=239

Reply from 66.218.71.198: bytes=32 time=90ms TTL=239

Ping statistics for 66.218.71.198:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 90ms, Maximum = 100ms, Average = 92ms

C:\>ping optonline.net

Pinging optonline.net [167.206.5.7] with 32 bytes of data:

Reply from 167.206.5.7: bytes=32 time=10ms TTL=244

Reply from 167.206.5.7: bytes=32 time=10ms TTL=244

Reply from 167.206.5.7: bytes=32 time=30ms TTL=244

Reply from 167.206.5.7: bytes=32 time=10ms TTL=244

Ping statistics for 167.206.5.7:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 10ms, Maximum = 30ms, Average = 15ms

C:\>ping ubr

Pinging ubr [10.130.160.1] with 32 bytes of data:

Reply from 10.130.160.1: bytes=32 time=10ms TTL=253

Reply from 10.130.160.1: bytes=32 timeping router

Pinging router [192.168.12.1] with 32 bytes of data:

Reply from 192.168.12.1: bytes=32 timeping dslreports.com

Pinging dslreports.com [209.123.109.175] with 32 bytes of data:

Reply from 209.123.109.175: bytes=32 time=20ms TTL=50

Reply from 209.123.109.175: bytes=32 time=10ms TTL=50

Reply from 209.123.109.175: bytes=32 time=10ms TTL=50

Reply from 209.123.109.175: bytes=32 time=10ms TTL=50

Ping statistics for 209.123.109.175:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 10ms, Maximum = 20ms, Average = 12ms

C:\>ping 4.4.2.1

Pinging 4.4.2.1 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 4.4.2.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

[text was edited by author 2003-09-29 18:32:50]


Bichon
Premium,MVM
join:2002-10-10
Freehold, NJ
reply to Viso

I can't traceroute to either your IP, nor your gateway.

That isn't OOL policy, something is misconfigured.



Viso

@optonline.net
reply to Viso

Can ANYONE ping me?
Can ANYONE tracert to my IP?

IP: 24.185.167.65

Im thinking no....but I can pass HTTP no problem...as I am writting on this board.



GeekNJ
Premium
join:2000-09-23
Waldwick, NJ
Reviews:
·Optimum Online
·Verizon FiOS

I have IM'ed one of the OOL folks that comes to this board often and asked him to look at this thread. Hopefully he'll see something he can comment on.
--
Have you tweaked your OOL connection?



Bichon
Premium,MVM
join:2002-10-10
Freehold, NJ
reply to Viso

Can't ping you. Packets in traceroute stop at 167.206.33.134 opti33-134.nassau.cv.net.



jaa
Premium
join:2000-06-13
kudos:2
reply to Viso

I can't. I only get to opti33-134.nassau.cv - one hop less than you got on your test.



Bichon
Premium,MVM
join:2002-10-10
Freehold, NJ
reply to Viso

jaa, you're slow! Beat you by 3 seconds.



Viso

@optonline.net
reply to Viso

MY DG 24.185.160.1
MY IP 24.185.167.65

DG or something above it is not passing ICMP...WHat other explination can you come up with? This was confirmed by the technician who was at my house and called the office.



Viso

@optonline.net
reply to Viso

Dont lie..you all thought I was wacky...



GeekNJ
Premium
join:2000-09-23
Waldwick, NJ
Reviews:
·Optimum Online
·Verizon FiOS

Not wacky, but there have been many instances when a local config issue was the cause and not an OOL problem. It happens often.

Also, the info provided to you on the phone, though possibly correct for your one instance, isn't correct for the rest of us, at least as everything is currently set up.
--
Have you tweaked your OOL connection?



Viso

@optonline.net
reply to Viso

Not correct for you now....but that doesnt mean it wont be correct for you tommorow when OOL starts blocking ICMP at your DG.



Babbat
Blissfully Ignorant
Premium
join:2001-06-24
Long Island
reply to Viso

If they were to do such a thing, it would be system-wide. How is your network configured?