DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
2927 blocking its own icmp access with firmware 4.4.0?
- duncanw
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
04 May 2022 20:04 #101090
by duncanw
2927 blocking its own icmp access with firmware 4.4.0? was created by duncanw
I have upgraded my Vigor 2927 to firmware 4.4.0 and that causes a somewhat strange effect, not sure if that is a feature or a bug;
Since the upgrade the device itself is not able anymore to perform a icmp (ping or traceroute);
For example, if I go to Diagnostics > Trace Route and try 1.1.1.1 it returns me
Also, when I configure WAN Connection Detection to 'Ping Detect' it won't be able to detect that the connection is up because it fails to perform the ping (it also doesn't show the chart anymore in Diagnostics > Traffic Graph > Ping Detect).
When I switch off the firewall (Data Filter: Disable) it works again.
I didn't make any config changes, only upgraded to FW 4.4.0, all worked okay before.
Am I doing something wrong here?
Thanks
Since the upgrade the device itself is not able anymore to perform a icmp (ping or traceroute);
For example, if I go to Diagnostics > Trace Route and try 1.1.1.1 it returns me
Code:
traceroute to 1.1.1.1, 30 hops max through WAN1 protocol ICMP
1 Request timed out. *
2 Request timed out. *
Trace complete.
Also, when I configure WAN Connection Detection to 'Ping Detect' it won't be able to detect that the connection is up because it fails to perform the ping (it also doesn't show the chart anymore in Diagnostics > Traffic Graph > Ping Detect).
When I switch off the firewall (Data Filter: Disable) it works again.
I didn't make any config changes, only upgraded to FW 4.4.0, all worked okay before.
Am I doing something wrong here?
Thanks
Please Log in or Create an account to join the conversation.
- piste basher
- Offline
- Big Contributor
Less
More
- Posts: 1199
- Thank you received: 9
05 May 2022 08:52 #101091
by piste basher
Replied by piste basher on topic Re: 2927 blocking its own icmp access with firmware 4.4.0?
I've "upgraded" my 2927ax to 4.4.0 and I get:-
traceroute to 1.1.1.1, 30 hops max through WAN1 protocol ICMP
1 51.148.72.23 20 ms
2 51.148.73.206 20 ms
3 51.148.73.195 20 ms
4 195.66.225.179 20 ms
5 172.70.87.2 30 ms
6 1.1.1.1 20 ms
Trace complete.
Firewall is on. Which 2927 are you using?
traceroute to 1.1.1.1, 30 hops max through WAN1 protocol ICMP
1 51.148.72.23 20 ms
2 51.148.73.206 20 ms
3 51.148.73.195 20 ms
4 195.66.225.179 20 ms
5 172.70.87.2 30 ms
6 1.1.1.1 20 ms
Trace complete.
Firewall is on. Which 2927 are you using?
Please Log in or Create an account to join the conversation.
- philg
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
18 May 2022 21:32 #101161
by philg
Phil - Vigor 2927 Dual Wan Giganet 950/950 on WAN1 (PPPoE) and Virgin Business 350/40 (5 Static IP) on WAN2 (as backup)
Replied by philg on topic Re: 2927 blocking its own icmp access with firmware 4.4.0?
Just to say, I had this problem when I tried 4.4.0 yesterday.
It prevented WAN2 from working at all (perhaps because it couldn't ping so it thought it was offline) and my static site-site VPN also failed (maybe for the same reason I'm not sure) I had to roll back to 4.3.2 as I didn't have the time to diagnose it (I wonder if starting from scratch with the RST firmware might be a better option)
It prevented WAN2 from working at all (perhaps because it couldn't ping so it thought it was offline) and my static site-site VPN also failed (maybe for the same reason I'm not sure) I had to roll back to 4.3.2 as I didn't have the time to diagnose it (I wonder if starting from scratch with the RST firmware might be a better option)
Please Log in or Create an account to join the conversation.
- philg
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
30 May 2022 22:30 #101217
by philg
Phil - Vigor 2927 Dual Wan Giganet 950/950 on WAN1 (PPPoE) and Virgin Business 350/40 (5 Static IP) on WAN2 (as backup)
Replied by philg on topic Re: 2927 blocking its own icmp access with firmware 4.4.0?
A little (or maybe not so little) update for you, I got in touch with support about my IPv6 issue - their response was a little disappointing in that they said IPv6 is NOT hardware accelerated. But they suggested I try the latest 4.4.2 RC1 firmware (not publicly available). Having already tried the 4.4.0 I was a little cautious and rightly so as it turned out!
The same problem as reported above - router dropping ICMP (replies) and ALL traffic to the router itself (while accepting traffic incoming through NAT and firewall rules). But what I found is the in the Firewall setup, there is a new "interface" "WAN -> Local". This new interface seems to be the cause - if you add rules to allow ICMP from WAN -> LOCAL then suddenly PINGs worked again. However, the same applied for anything to the router, DNS queries, NTP queries, DHCPv6, ICMPv6 and others - the requests went out, but the replies were blocked. Kind made it impossible to work with and I once again reverted to 4.3.2 backups.
I got a lot of it working by adding several pages of rules that I wouldn't expect to have to add (also initially I got it working by setting the default firewall rule to PASS not BLOCK and that proved it!).
I replied to support with a long list of things that I found, only to be told along the lines of they were not relevant to my problem and why was I telling them - as if somehow reporting issues with a release candidate firmware is a bad thing?!
Shame because there looks to be some good stuff coming in 4.4.x - but it needs a little TLC before release I think!
So I'm back at square one - turned off IPv6 to be able to make use of my line speed (950Mbit synchronous). And if indeed IPv6 is not accelerated like IPv4, I feel a little short changed. Granted IPv6 is barely used but still - when it is enabled, its the default protocol chosen by modern OS's and instantly reduces my network speeds by 2/3rds (and no doubt increases my energy bill and heat in the router cupboard with that extra CPU usage!!!)
The same problem as reported above - router dropping ICMP (replies) and ALL traffic to the router itself (while accepting traffic incoming through NAT and firewall rules). But what I found is the in the Firewall setup, there is a new "interface" "WAN -> Local". This new interface seems to be the cause - if you add rules to allow ICMP from WAN -> LOCAL then suddenly PINGs worked again. However, the same applied for anything to the router, DNS queries, NTP queries, DHCPv6, ICMPv6 and others - the requests went out, but the replies were blocked. Kind made it impossible to work with and I once again reverted to 4.3.2 backups.
I got a lot of it working by adding several pages of rules that I wouldn't expect to have to add (also initially I got it working by setting the default firewall rule to PASS not BLOCK and that proved it!).
I replied to support with a long list of things that I found, only to be told along the lines of they were not relevant to my problem and why was I telling them - as if somehow reporting issues with a release candidate firmware is a bad thing?!
Shame because there looks to be some good stuff coming in 4.4.x - but it needs a little TLC before release I think!
So I'm back at square one - turned off IPv6 to be able to make use of my line speed (950Mbit synchronous). And if indeed IPv6 is not accelerated like IPv4, I feel a little short changed. Granted IPv6 is barely used but still - when it is enabled, its the default protocol chosen by modern OS's and instantly reduces my network speeds by 2/3rds (and no doubt increases my energy bill and heat in the router cupboard with that extra CPU usage!!!)
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek