I have searched for an answer to this question, but coming up short....
When a Traceroute is completed from a CPE to an internet address, say google DNS, our internal network network addresses appear as Hops, making our internal address range viewable to external sources. How can I make it, that when a traceroute is completed, our internal addresses appear as "* * *"....
Is Your traffic routed in global routing table?
If yes there is no single command line that achieves what You want.
You need a proper loopback filter to drop all TCP/UDP high ports (1024-65535) from untrusted src IP [tcptraceroute + UDP traceroute] plus drop all ICMP Echo Request from untrusted src IP with TTL==1 [Windows tracert].
If not (meaning Your traffic is inside MPLS L3VPN/VRF) then have a look at
Hi aarsinev and Kingsman,
Currently don't have access to the VPN as we are using a default license (Only 2 clients allowed at any time).... But, having completed some tests to other systems via upstream ISPs, it looks like they allow echo replies anyway. Maybe this is a default for an "internal Network".
My definition of "internal Network" is NOT the actual IP Range used in the data networks but the addressing on the routers within the ISP network.....
I will still give your options a go when I can get onto the VPN and will report back.
I have created a firewall filter that discards or stops echo-replies under icmp-type.
Tested from external, after applying the firewall filter to the required interface and it seemed to work. To ensure this works as expected, I need to get the circuit owner to test from the CPE end. As soon as this is completed I will be able to let you know if it was fully successful or not.... Here is the config applied:
set firewall family inet filter filter-tracert term 1 from source-address 0.0.0.0/0
set firewall family inet filter filter-tracert term 1 from destination-address (Internal subnet)
set firewall family inet filter filter-tracert term 1 from protocol icmp
set firewall family inet filter filter-tracert term 1 from icmp-type echo-reply
set firewall family inet filter filter-tracert term 1 then discard
set firewall family inet filter filter-tracert term 2 then accept
set interface ae1 unit 0 family inet filter input filter-tracert
If you see any issues with this then please let me know: