OptimumOnline → OOL blocking ICMP Ports

I called the Help Desk and asked them why. I spent over 2 hours just explaining what was wrong. The agent kept asking "Can you get online?" Yes..I said..Im getting HTTP fine. "What exactly is the problem then?" He kept saying "We don’t block any ports" but could not explain why I wasn’t able to pass ICMP. His "Team Leader" just spouted the same thing. They even went so far as to stream to my desktop and watch me pass HTML and FTP but not be able to pass any pings. Their answer was.."We don’t block any ports" That wasn’t good enough for me. I run applications on my PC that require ICMP to be passed. They treated me like a jackass. I didn’t tell them I work for IBM. They told me that they were going to send a tech to my house to check the line but that if the tech couldn’t find anything I “would have to pay a service call fee” WTF is that? You start blocking ports..I tell you, you are blocking ports…you say your not contrary to all the things I have just told you..and your going to charge me a fee?? I just don’t get it.

Ok so the tech showed up at my house today, he was really helpful, and confirmed what I had told the help desk. He said he didn’t think they were blocking any ports but he would check. See he went one step further. He believed what I was telling him and checked. Well after 2 mins on the phone he got the answer that I told that help desk agent 3 days ago “Were blocking ICMP.” The lady wouldn’t say why or when they will stop blocking these ports. That leaves me stuck.

Now if Cablevision can’t secure its network why should I pay the price? I can’t use 20% of the applications that I use every day because Cablevision is worried about attacks. OK what does that have to do with me? I have to suffer because you all can’t get your shit together? My network is running all Microsoft products and is so frigin tight that I don’t have to worry about security. So you take functionality from the customer but don’t give anything back? If I only get 80% of the functionality from my OOL subscription shouldn’t I get a 20% rebate?

My question is why did you start blocking ports and when are you going to let me get back to my business.

Can you be specific... what is being blocked to/from you? There are known inbound blocked ports like 80, 8080 and some other well known proxy ports.

And do you have BOOL or residential OOL?

so your mister big bad IBMer and you dont even know that ICMP is a protocol and not a port ?

Where did I say ICMP was a port jackass?

quote:

---

You start blocking ports..I tell you, you are blocking ports…you say your not contrary to all the things I have just told you..and your going to charge me a fee??

---

hmm.

Outbound ICMP is bieng blocked. I have OOL not BOOL.

Again...where did I say ICMP was a port??

I said shutting ports was preventing ICMP from bieng passed. Damb before you critisize know WTF you are talking about.

Can you give an example of something that doesn't work? What command are you executing that isn't working?

Its not a command that isnt working. Well you can bring it down to that level..for instance

Ping 4.2.2.1 gets request timed out e.g. the default gateway is not letting ICMP pass.

Its not that big a deal until you have an application that requires ICMP to funtion. I have several such applications that require ICMP for authentication. Without it the application does not function.

Ping works fine for me - even to the address you specified.

Probably your firewall or router that is blocking it.

Maybe it's something specific to you, but certainly not to everyone. You can't ping something outside your own network? I know I can.

Have you made sure it's not something with your router by just placing 1 computer directly into the modem, resetting the modem and trying it? What is your CMTS? You can get it by going backwards and pinging to your IP address from outside using something like »www.tracert.com/cgi-bin/trace.pl

For example, here's mine:
traceroute to xxxxxxx.dyn.optonline.net (67.83.xxx.yyy) from 206.252.193.20: 1-30 hops, 38 byte packets
1 206.252.222.88 (206.252.222.88) 1.36 ms (ttl=64!) 1.29 ms (ttl=64!) 1.40 ms (ttl=64!)
2 198.32.160.20 (198.32.160.20) 1.57 ms (ttl=253!) 1.51 ms (ttl=253!) 1.89 ms (ttl=253!)
3 0095.gi4-7.msfc1.nyc.nac.net (64.21.102.6) 1.44 ms 2.18 ms 1.37 ms
4 0010.gi1-1.msfc1.tlw.nac.net (209.123.11.230) 1.98 ms 2.46 ms 2.26 ms
5 r2-ge9-2.in.nycmnyzr.cv.net (65.19.102.185) 1.95 ms 2.32 ms 1.79 ms
6 r1-srp1-0.wan.prnynj.cv.net (65.19.96.51) 4.64 ms 5.15 ms 5.96 ms
7 r3-srp-1-0.mhe.prnynj.cv.net (67.83.239.53) 4.44 ms 4.40 ms 3.77 ms
8 dstswr1-ge3-1.rh.wlwknj.cv.net (67.83.250.130) 5.81 ms 6.46 ms 5.30 ms
9 ubr103-fa1-0.cmts.wlwknj.cv.net (67.83.250.173) 15.3 ms 7.71 ms 7.15 ms
10 xxxxxxx.dyn.optonline.net (67.83.xxx.yyy) 21.3 ms (ttl=141!) 13.5 ms (ttl=141!) 13.8 ms (ttl=141!)

No...As I said the technician called the office and the lady confirmed they were blocking ICMP. WHat is your default gateways IP address? Its probably different than mine.

I find that very unlikely. The "lady" probably didn't understand you question or does not know what you are talking about.

Many things rely on ICMP - highly unlikely it is being blocked intentionally.

I have put this PC to the top of my network and got an IP address on the PC and tried to ping, I could not, which indicates an outside problem. tracert is an ICMP command and I cannot get 1 hop away.

This is the ping output from outside the network to my IP address from the website you provided:

Ping Output
FROM www.his.com TO 24.185.167.65.

PING 24.185.167.65 (24.185.167.65): 56 data bytes

--- 24.185.167.65 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

So ICMP inbound is also bieng blocked at the gateway.

I agree with Geek and jaa. OOL doesn't block outbound ICMP. In fact, I can ping that 4.2.2.1 (One of Genuity's DNS resolvers) just fine.

Go ahead...try and ping me??? Tracert me and the last hop on the tracert before me will be 24.185.160.1 my default gateway which is not letting icmp pass. Then you will get timeout messages since no ICMP is bieng passed through the DG.

If you run the tracert from outside in, it will show us your UBR and I'd like to see if we can ping into it to an IP or two on the other side.

Tracert from outside DG to my IP address:

1 | router.136-128.inter (207.136.128.1) ( 0.497/ 0.790/ 1.360) 3/3 100.0%
2 | marina-peering (206.124.224.5) ( 0.998/ 1.080/ 1.123) 3/3 100.0%
3 | f37.ba01.b000899-0.l (66.28.21.13) ( 39.978/ 40.490/ 40.825) 3/3 100.0%
4 | g2-0.core01.lax04.at (66.28.6.241) ( 39.453/ 39.608/ 39.894) 3/3 100.0%
5 | p15-1.core01.lax01.a (66.28.4.201) ( 39.750/ 40.012/ 40.169) 3/3 100.0%
6 | p5-0.core01.san01.at (66.28.4.78) ( 40.169/ 40.704/ 41.566) 3/3 100.0%
7 | p6-0.core01.iah01.at (66.28.4.5) ( 48.636/ 83.463/ 146.721) 3/3 100.0%
8 | p5-0.core01.dfw01.at (66.28.4.97) ( 39.873/ 40.107/ 40.401) 3/3 100.0%
9 | p15-0.core02.dfw01.a (66.28.4.26) ( 39.573/ 40.085/ 40.674) 3/3 100.0%
10 | p15-0.core01.mci01.a (66.28.4.38) ( 48.874/ 49.708/ 50.536) 3/3 100.0%
11 | p5-0.core02.ord01.at (66.28.4.34) ( 59.289/ 59.764/ 60.345) 3/3 100.0%
12 | p6-0.core02.jfk02.at (66.28.4.85) ( 82.461/ 82.712/ 82.992) 3/3 100.0%
13 | p6-0.pr01.jfk05.atla (154.54.1.166) ( 134.618/ 135.072/ 135.974) 3/3 100.0%
14 | r3-ge2-2.in.nycmny83 (65.19.103.133) ( 129.911/ 131.370/ 132.646) 3/3 100.0%
15 | r2-srp1-1.in.nycmny8 (65.19.97.98) ( 126.278/ 127.821/ 129.733) 3/3 100.0%
16 | r1-srp13-0.wan.hcvln (65.19.96.49) ( 127.654/ 130.496/ 132.728) 3/3 100.0%
17 | r1-srp13-0.cr.hcvlny (167.206.12.97) ( 129.950/ 131.370/ 132.798) 3/3 100.0%
18 | r4-srp5-0.mhe.hcvlny (167.206.12.36) ( 132.736/ 132.845/ 133.021) 3/3 100.0%
19 | opti33-134.nassau.cv (167.206.33.134) ( 127.939/ 129.373/ 131.273) 3/3 100.0%
20 | ubr101-fe1-0.cmts.bb (167.206.33.165) ( 127.752/ 129.239/ 130.402) 3/3 100.0%
21 | * * ( -1.000/ -1.000/ -1.000) 0/3 0.0%
22 | * * ( -1.000/ -1.000/ -1.000) 0/3 0.0%

ICMP is bing blocked outbound and inbound to my segment

What your test shows is that device is not responding to ICMP ping request. It does not mean it is blocking them.

Here are some pings within my network and outside.

I guess it is possible that your cmts is blocking ICMP - I just find it very hard to believe.
Edit: Here are my pings:
C:\>ping yahoo.com

Pinging yahoo.com [66.218.71.198] with 32 bytes of data:

Reply from 66.218.71.198: bytes=32 time=100ms TTL=239

Reply from 66.218.71.198: bytes=32 time=90ms TTL=239

Reply from 66.218.71.198: bytes=32 time=90ms TTL=239

Reply from 66.218.71.198: bytes=32 time=90ms TTL=239

Ping statistics for 66.218.71.198:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 90ms, Maximum = 100ms, Average = 92ms

C:\>ping optonline.net

Pinging optonline.net [167.206.5.7] with 32 bytes of data:

Reply from 167.206.5.7: bytes=32 time=10ms TTL=244

Reply from 167.206.5.7: bytes=32 time=10ms TTL=244

Reply from 167.206.5.7: bytes=32 time=30ms TTL=244

Reply from 167.206.5.7: bytes=32 time=10ms TTL=244

Ping statistics for 167.206.5.7:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 10ms, Maximum = 30ms, Average = 15ms

C:\>ping ubr

Pinging ubr [10.130.160.1] with 32 bytes of data:

Reply from 10.130.160.1: bytes=32 time=10ms TTL=253

Reply from 10.130.160.1: bytes=32 timeping router

Pinging router [192.168.12.1] with 32 bytes of data:

Reply from 192.168.12.1: bytes=32 timeping dslreports.com

Pinging dslreports.com [209.123.109.175] with 32 bytes of data:

Reply from 209.123.109.175: bytes=32 time=20ms TTL=50

Reply from 209.123.109.175: bytes=32 time=10ms TTL=50

Reply from 209.123.109.175: bytes=32 time=10ms TTL=50

Reply from 209.123.109.175: bytes=32 time=10ms TTL=50

Ping statistics for 209.123.109.175:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 10ms, Maximum = 20ms, Average = 12ms

C:\>ping 4.4.2.1

Pinging 4.4.2.1 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 4.4.2.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

[text was edited by author 2003-09-29 18:32:50]

I can't traceroute to either your IP, nor your gateway.

That isn't OOL policy, something is misconfigured.

Can ANYONE ping me?
Can ANYONE tracert to my IP?

IP: 24.185.167.65

Im thinking no....but I can pass HTTP no problem...as I am writting on this board.

I have IM'ed one of the OOL folks that comes to this board often and asked him to look at this thread. Hopefully he'll see something he can comment on.

Can't ping you. Packets in traceroute stop at 167.206.33.134 opti33-134.nassau.cv.net.

I can't. I only get to opti33-134.nassau.cv - one hop less than you got on your test.

jaa, you're slow! Beat you by 3 seconds.

MY DG 24.185.160.1
MY IP 24.185.167.65

DG or something above it is not passing ICMP...WHat other explination can you come up with? This was confirmed by the technician who was at my house and called the office.

Dont lie..you all thought I was wacky...

Not wacky, but there have been many instances when a local config issue was the cause and not an OOL problem. It happens often.

Also, the info provided to you on the phone, though possibly correct for your one instance, isn't correct for the rest of us, at least as everything is currently set up.

Not correct for you now....but that doesnt mean it wont be correct for you tommorow when OOL starts blocking ICMP at your DG.

If they were to do such a thing, it would be system-wide. How is your network configured?