TCP traceroute troubleshooting

[matthewdva]

I am getting different traceroute results depending on whether I execute the traceroute from the NGFW or a machine behind the NGFW.

For example: (The actual destination address has been changed for privacy)
From the NGFW:

Code:

[root@gw] ~ # traceroute -Tp 22 209.45.145.273
traceroute to 209.45.145.273 (209.45.145.273), 30 hops max, 60 byte packets
 1  * * *
 2  ae1326-21.ARTNVAFC-MSE01-AA-IE1.verizon-gni.net (100.41.24.4)  2.882 ms  4.343 ms ae1326-20.WASHDCDN-MSE01-AA-IE1.verizon-gni.net (100.41.24.2)  3.285 ms
 3  0.ae2.BR1.IAD8.ALTER.NET (140.222.239.79)  4.248 ms  3.632 ms  4.113 ms
 4  * * *
 5  * * *
 6  ae15.er5.iad10.us.zip.zayo.com (64.125.25.167)  4.438 ms  6.578 ms  6.034 ms
 7  64.125.192.150.t00718-02.above.net (64.125.192.150)  5.062 ms  4.774 ms  4.040 ms
 8  67-217-171-210.ash01.latisys.net (67.217.171.210)  4.558 ms v909.ash01-mls-dc-dist-b.latisys.net (67.217.171.6)  3.535 ms  5.516 ms
 9  67-217-171-146.ash01.latisys.net (67.217.171.146)  28.550 ms  28.263 ms 67-217-171-138.ash01.latisys.net (67.217.171.138)  3.789 ms
10  . (209.45.145.272)  4.713 ms  4.528 ms  3.465 ms
11  * * *
12  . (209.45.145.273)  3.846 ms  4.286 ms  4.244 ms

From a host behind the NGFW:

Code:

[root@server ~]# traceroute -Tp 22 209.45.145.273
traceroute to 208.54.245.173 (208.54.245.173), 30 hops max, 60 byte packets
 1  gw.home.drop.net (192.168.1.1)  1.016 ms  0.948 ms  1.576 ms
 2  . (209.45.145.273)  14.183 ms  11.449 ms  11.323 ms

Historically when I have seen traceroutes like this one the route is going through a tunnel/vpn. However there are no tunnels/VPNs between these locations.

Are one or more of the APPS on the NGFW encapsulating the packets? How can I get the same results from hosts behind the NGFW as I do from the NGFW itself?

Thanks

[sky-knight]

Untangle routes according to its own routing table.

The clients route according to their own routing table.

Assuming the client is using Untangle as the router in question, things match.

So, is Untangle 192.168.1.1?

You're right that VPN tunnels will change things, because matched traffic will find a tunnel and change course. But any other routing changes on Untangle will cause Untangle itself to use that same path too. Unless you've recently added or removed a VPN? Sometimes you have to reboot Untangle to get that change to sink in consistently.

[matthewdva]

Thank you for responding. My apologizes for not being clear.

192.168.1.1 is the internal interface of the NGFW. I do not have any VPN/Tunnels enabled on either the NGFW or the client.

The routing on the client is basic and sends all traffic to the NGFW.

If the NGFW is sending the traffic to a tunnel, what is the tunnel? Is there someway to configure traceroute traffic to by-pass the tunnel or what ever it is going through?

[jcoffin]

Traceroute is based on response from upstream switches. The client behind NGFW is traveling across a NAT interface (LAN to WAN) therefore the client will not receive all the upstream traces due to NAT. Frankly traceroute is not very useful as the path displayed is not 100% accurate.

https://lostintransit.se/2013/05/29/...my-traceroute/