On 9/4/06, Georgi Petrov <[EMAIL PROTECTED]> wrote:
Hello everybody,
I've sent this feature request to the m0n0wall mailing list, so it's a
copy-paste. Everything written can be applied to pfSense as well!
Here in Bulgaria we love m0n0wall and many people use it for home
routing purposes. Our internet is delivered by LAN cables (insane,
isn't it?) and some of my smarter friends split the service to the
neighbours. This is pretty cool because you have to pay 2-3 times less
and believe me - Bulgaria isn't the cheapest place to live in ;)
Ok, you would say - you put one m0n0wall router under your bed and pay
2 times less for internet (as well as your neighbours). What's the
problem? Here comes the problem: Almost all ISPs in Bulgaria modify
the TTL (time to live) value of all incoming packets to 1, so when
they enter the m0n0wall router, it decrements the TTL to 0 and being
zero, the packet gets dropped (and doesn't reach any of the computers
in the local network).
There is a very simple way to work around that. The FreeBSD kernel
should be compiled with IPSTEALTH option enabled. This is absolutely
harmless and does the following:
When the kernel is compiled with this option, later you can set one
sysctl variable to "1" (enabled), which will turn on the IPSTEALTH
mode. In this mode the router "hides" itself, becomes intraceable with
tracert and the most important thing is that it doesn't decrement the
TTL, so the little trick played by most ISP becomes irrelevant.
This is completely harmless to m0n0wall - it won't be enabled by
default, nothing will change for the default install, but this
functionality will be present for whoever need it! May be later a
"checkbox" could be added in the webGUI for easier accessibility.
I already run m0n0wall's FreeBSD IPSTEALTH enabled kernel and enabling
IPSTEALTH in running m0n0wall is as easy as adding
<shellcmd>sysctl net.inet.ip.stealth=1</shellcmd>
just before
</system>
The whole procedure is explained by another smart bulgarian on this
page (bulgarian language):
http://hardwarebg.com/forum/showthread.php?t=76480&highlight=TTL
So - this way the whole problem is solved and the day - saved ;)
I ask for one simple thing - could you please enable IPSTEALTH in the
next m0n0wall release, please! It's a great router/firewall - make it
even better!
# sysctl -a | grep stealth
net.inet.ip.stealth: 0
net.inet6.ip6.stealth: 0
It's already compiled in.
Have fun!
Scott
