Junos OS

Expand all | Collapse all

ICMP Traceroute question

Jump to Best Answer
  • 1.  ICMP Traceroute question

     
    Posted 01-07-2019 03:06

    Hi,

     

    I have a firewall filter to block certain addresses being seen by the customer and it works great apart from on issue I cannot resolve...

     

    From a customer host address (let's say a laptop), I complete a traceroute (tracert) to 8.8.8.8. The problem is that instead of the customer not seeing the addresses, they will get a timeout..... 

     

    Question:

    Is there a way that I can make it so the customer just sees the next-hop I want them to see rather than timeouts?

     

    Here is an example of what I mean:

    CPE = 192.168.1.1/30

    NTE Ge-0/0/0 = 192.168.1.2/30

    NTE Ge-0/0/7.100 = 10.10.10.1/30

    MX240 Core XE-1/2/4.100 = 10.10.10.2/30

    MX240 Core XE-1/2/5 = Upstream 

     

    Upstream ISP = 80.80.80.1/30

     

    I want the laptop to see only the CPE LAN Gateway and the next-hop as the upstream ISP address of 80.80.80.1 .... I can do this already but the hops in between show as * * * Request Timed Out

     

    It's the request timed out section I do not want the customer to see. Rather, just the next-hop of Upstream ISP.

     



  • 2.  RE: ICMP Traceroute question
    Best Answer

    Posted 01-07-2019 08:33

    In normal scenario it is not possible to achieve the desired the result as it is the client's behaviour and will print '*"  if it is not receiving the ICMP time exceeded message from the intermediate devices.

     



  • 3.  RE: ICMP Traceroute question

     
    Posted 01-08-2019 01:07

    Hi Nellikka,

     

    Thank you. That's exactly what I thought, but may as well ask the question 🙂

     

    It's fine as is..... Customer cannot ping any addresses internally and neither do they show up in a traceroute....

     

    Just in case anyone wanted to know how I achieve the desired results, here is the config:

     

    set firewall family inet filter icmp-reject term 1 from source-address x.x.x.x/x (where you want to block it from)
    set firewall family inet filter icmp-reject term 1 from destination-address x.x.x.x/x (the address you don't want them to see)
    set firewall family inet filter icmp-reject term 1 from destination-address x.x.x.x/x (the address you don't want them to see)
    set firewall family inet filter icmp-reject term 1 from protocol icmp
    set firewall family inet filter icmp-reject term 1 then discard
    set firewall family inet filter icmp-reject term 2 from protocol udp
    set firewall family inet filter icmp-reject term 2 from port 33434-33689
    set firewall family inet filter icmp-reject term 2 then discard
    set firewall family inet filter icmp-reject term 3 from ttl 0
    set firewall family inet filter icmp-reject term 3 from ttl 1
    set firewall family inet filter icmp-reject term 3 then discard

     

    If you want to allow everything else through then use a new term with "accept" on the end of this filter. I don't need it as I am running multiple filters on the interface and the last filter has the "accept" statement.

     

    Apply this to the interface you want to place the block on:

     

    set interfaces ge-0/0/1 unit 0 family inet filter input-list icmp-reject