Bob,
Pierre is right...
I was trying to trace the other machine (216.153.135.10) but I
couldn't... that machine is down or filtered...
but, here we go... 64.65.210.2 is your isp's router... 64.65.206.1 is
the interface in that router serving as your router...
my last hop before 216.153.135.10 was 64.65.210.2... the same guy that
works as your router...
so your machine 216.153.135.10 to 64.65.206.24...
lets do a fictious trace...
216.153.135.10> traceroute 64.65.206.24
1 20 ms 19 ms 21 ms 64.65.210.2
2 19 ms 19 ms 20 ms 64.65.206.1
3 22 ms 21 ms 20 ms 64.65.206.24
(until now everything is ok! your machine replyed... lets continue...)
4 21 ms 25 ms 27 ms 208.178.159.66
5 21 ms 32 ms 85 ms 208.178.159.65
(we are leaving your network by the T1! oh my god!!!)
6 32 ms 30 ms 24 ms 64.65.210.2
(we are close now!!! very close!!! :-)
but... your ISP's router says...
-Hey!! that packet... it header says it comes from 64.65.206.24! That
packet is coming from my network! But... if it's from my network... why
it cames from the other ISP's network??? Filter!! Filter!!!
The filter says:
-Aha!!! A spoof!!! A spoof!! I knew it would happen!!! That freakin'
bastard is trying to spoof us! DOS!! DOS! Attacks... I knew it!
- Lets see the rules... the rules says... DISCARD!! lets discard the
bastard!! We saved the world...
So your packets never reach the other machine...
Sorry... I know that the answer is colorful... but I need to stay
awake... :-)))
Bob Puff@NLE wrote:
> HI Pierre,
>
> Thanks for the reply. Ok, here's a little more detail:
>
> DSL ISP:
> ========
> Machine IP: 64.65.206.24 Netmask: 255.255.255.0 (I actually have 32 IPs, but
>that's
> the mask they say to use, and it does work properly, even
>if
> I ping machines outside my own network, yet within that
>netmask.)
> Gateway IP: 64.65.206.1 (which apparently is an alias for 64.65.210.162)
>
>
> T1 ISP:
> Machine IP: 208.178.159.66 Netmask: 255.255.255.224 (I have 16 IPs)
> Gateway IP: 208.178.169.65 (which is my t1 router: 208.49.135.222)
>
> Topology (you were real close!):
>
>
> 64.65.206.24 ---------- DSL ISP------------216.153.135.10 (netmask 255.255.255.0)
> eth1 / | (a remote user on the same ISP)
> LM7.1 |
> eth3 \ |
> 208.178.159.66 ---------- T1 ISP
>
> In this example, the box at 216.153.135.10 cannot see 64.65.206.24.
>
>
>> So... from say 64.65.210.162, "ping 64.65.206.24" is seen by LM7.1 and reply
>> goes out T1; but reply is not seen by 64.65.210.162... if so, read on...
>
>
> Most likely yes. Also note from my other message that a TCPDUMP shows an error
>packet returning
> to me from 216.153.135.10, saying "Admin prohibit filter" or something like that.
>
>
>> Without specific addresses, I can only suspect you are experiencing the rule
>> which states: "a packet from netX cannot be routed through netY and back to
>> netX" [EXCEPT if the final destination is netZ]*
>>
>> * the exception is not written up anywhere that I know of; but I did discover it
>> circa 1989.
>
>
> Really? If that indeed is the case, then how do people that have multiple providers
>handle
> this situation?
>
> Bob
