Hi!
I get no replies when I ping from external host “A” to my RUT241 router (fw: RUT2M_R_00.07.02.3), which has dynamic public IP (ddns). If I ping from another external host “B”, I receive replies properly.
However, ssh or https login from both A and B is possible and neither host has been blacklisted.
If I stop firewall, then ping works also from A. How am I supposed to fix this?
Thanks in advance.
Hello!
Firstly, I highly recommend resetting the router to factory settings and updating to the latest firmware if it fails to ping after reset. This should resolve the issue you’re experiencing. If the problem persists, please provide more details about the issue. Specify the addresses you’re pinging, and if possible, include screenshots.
Best regards,
Marijus
Hi Marijus and thanks for your answer.
Unfortunately I don’t have physical access to the router which is located at a site about 400km away. Therefore, factory reset is not an option for the moment. For the same reason, I feel very hesitant to upgrade the firmware in case I get locked out.
Regarding the addresses, see below the screenshots. Pinging from host A:
[Redacted by Moderator]
At the same time pinging from host B:
[Redacted by Moderator]
As I mentioned, if I stop router’s firewall then host A receives answers properly. ssh & https logins work from both A & B. Is there a chance that host A is blacklisted while not shown in the 15 pages list with blocked hosts?
It’s none of my business but what you are doing is very dangerous your device is accessible from the internet with many open / unfiltered ports exposed to the rest of world.
No surprise that you have 15+ pages of blocked IP addresses …
At least setup a VPN server on the router (wireguard, IPSEC, …) and block all wan / mobile access.
Regards,
Hi,
As mentioned by flebourse, it’s important to avoid sharing your private information on public forums like this. I’ve redacted the images you shared to remove any personal data.
Regarding your ping issues, it’s likely that there’s a firewall rule, either one you created or a default rule, blocking traffic from A host IP. Your connection seems to work when the firewall is disabled. Check your firewall rules, specifically those related to the A host IP, to identify and resolve the issue.
I hope this information is helpful.
Best,
Marijus
Hi and thanks again for the answer.
You are absolutely right about the shared info, but I did so after you asked for screenshots and the specific IPs of ping.
Anyway, I agree with you that the firewall seems to be responsible. I just can’t see any relevant rule: I haven’t created any custom one nor “iptables -L” returns host’s A IP. On the other hand, what default rule would allow host B and not A to ping?
Is there a place where all the dynamically created firewall rules are stored?
Or if I delete all the blocked IPs from WebUI (I wouldn’t like to), will the ping issue be restored?
Regards,
Hi,
The issue is most likely related to blocked IP addresses, especially on the 15 pages. You can manually check these pages to identify the problem. Alternatively, following flebourse’s suggestion, consider setting up a VPN server on your router. Since you already have a DDNS address, this process should be relatively straightforward. Doing so will enhance your security and allow secure access to your device.
To clarify, when you mention “stopping firewall,” are you referring to disabling specific router functions or something else? Please provide more details.
Best regards,
Marijus
Are you sure that the ISP ( Internet Service Provider) / firewall rules, that Host B are using, allow ICMP (like ping) traffic from there networks?
By “stopping firewall” I mean: /etc/init.d/firewall stop
Host’s A IP is not among the (15 pages of) blacklisted IPs. Any other place that it can be hidden?
Regards,
Both hosts A and B have the same ISP and ICMP is allowed. In that case it wouldn’t work when I stopped router’s firewall.
I didn’t mention it above, but you should also avoid using short RSA and DSA keys for dropbear / open-ssh use ECDSA or better ED25519 instead.
Your first priority should be to setup a VPN, several ppl may be able to help you if you need.
then its your firewall and protection thats miss configured some how.
To debug your issue execute:
tcpdump -i any -n -v 'host the-ip-that-fails'
on the router. Do you see something coming in ?
tcpdump -i any -n -v 'host the-ip-that-fails'
tcpdump: can't parse filter expression: syntax error
I slightly modified the command (sanitized):
# tcpdump -i any -v -n dst 'wan_ddns_IP' and src 'host the-ip-that-fails'
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
00:20:36.702535 IP (tos 0x0, ttl 58, id 56445, offset 0, flags [DF], proto ICMP (1), length 84)
'host the-ip-that-fails' > 'wan_ddns_IP': ICMP echo request, id 52420, seq 24, length 64
00:20:36.823062 IP (tos 0x0, ttl 58, id 56459, offset 0, flags [DF], proto ICMP (1), length 84)
'host the-ip-that-fails' > 'wan_ddns_IP': ICMP echo request, id 52431, seq 1, length 64
00:20:36.961680 IP (tos 0x0, ttl 58, id 56588, offset 0, flags [DF], proto ICMP (1), length 84)
'host the-ip-that-fails' > 'wan_ddns_IP': ICMP echo request, id 51819, seq 770, length 64
00:20:37.722878 IP (tos 0x0, ttl 58, id 57052, offset 0, flags [DF], proto ICMP (1), length 84)
'host the-ip-that-fails' > 'wan_ddns_IP': ICMP echo request, id 52420, seq 25, length 64
00:20:37.843012 IP (tos 0x0, ttl 58, id 57143, offset 0, flags [DF], proto ICMP (1), length 84)
'host the-ip-that-fails' > 'wan_ddns_IP': ICMP echo request, id 52431, seq 2, length 64
00:20:37.981701 IP (tos 0x0, ttl 58, id 57185, offset 0, flags [DF], proto ICMP (1), length 84)
'host the-ip-that-fails' > 'wan_ddns_IP': ICMP echo request, id 51819, seq 771, length 64
00:20:38.742942 IP (tos 0x0, ttl 58, id 57284, offset 0, flags [DF], proto ICMP (1), length 84)
'host the-ip-that-fails' > 'wan_ddns_IP': ICMP echo request, id 52420, seq 26, length 64
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel
With firewall stopped (/etc/init.d/firewall stop):
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
00:24:55.124419 IP (tos 0x0, ttl 58, id 50973, offset 0, flags [DF], proto ICMP (1), length 84)
'host the-ip-that-fails' > 'wan_ddns_IP': ICMP echo request, id 51819, seq 1023, length 64
00:24:56.125627 IP (tos 0x0, ttl 58, id 51017, offset 0, flags [DF], proto ICMP (1), length 84)
'host the-ip-that-fails' > 'wan_ddns_IP': ICMP echo request, id 51819, seq 1024, length 64
00:24:57.122621 IP (tos 0x0, ttl 58, id 51111, offset 0, flags [DF], proto ICMP (1), length 84)
'host the-ip-that-fails' > 'wan_ddns_IP': ICMP echo request, id 51819, seq 1025, length 64
00:24:58.124824 IP (tos 0x0, ttl 58, id 51855, offset 0, flags [DF], proto ICMP (1), length 84)
'host the-ip-that-fails' > 'wan_ddns_IP': ICMP echo request, id 51819, seq 1026, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
To me, both outputs seem the same. What is missing?
I think I spotted it. I had a port forwarding rule and this seemed to block ICMP replies.
As soon as I disabled it, the ICMP replies came properly.
However, it is strange because on another identical router with the same setup, ping was working without any issue.
I need to thank all of you for your support and I am grateful for your suggestions. I will follow them as soon as possible.
Thanks once again.
is the IP address of host A …
tcpdump is a fantastic tool to debug network issues.
My mistake was that I misunderstood
'host the-ip-that-fails'
and didn’t realize that host was part of the command and not part of the 'the-ip-that-fails' (because it was within ''). 
But indeed, it’s a great tool. Thanks again!
This topic was automatically closed after 15 days. New replies are no longer allowed.