I have a router that is set to use a 4G connection for its WAN as a failover connection. Now, in order to make this work reliably, I have to use scrub min_ttl 65.
Now, when I do this, traceroute breaks, for obvious reasons. And, from time to time, the router will run traceroute, and I need to have it working.
So, I have tried dynamically reloading the pf scrub so that the min_ttl is removed when it is time to run tcpdump. This works; the router can then successfully use traceroute.
But... the firewall then blocks ALL traffic between the LAN and WAN that are based on existing connections until those connections expire out of the state table. Some connections are sensitive (phone calls for instance) and flushing state would cause those calls to drop.
Now, the goal here is to be able to use traceroute from the router when it is needed while not interrupting traffic between the WAN and the LAN and not facing a circumstance where the carrier throttles us based on ttl values (they shouldn't; our contract with them is explicit about what we are doing, but they do anyway because their monitoring systems are idiotic).
Does anyone know how I might accomplish this? traceroute -I has no effect; the outbound ttl is set to 65 and it doesn't work.
Now, when I do this, traceroute breaks, for obvious reasons. And, from time to time, the router will run traceroute, and I need to have it working.
So, I have tried dynamically reloading the pf scrub so that the min_ttl is removed when it is time to run tcpdump. This works; the router can then successfully use traceroute.
But... the firewall then blocks ALL traffic between the LAN and WAN that are based on existing connections until those connections expire out of the state table. Some connections are sensitive (phone calls for instance) and flushing state would cause those calls to drop.
Now, the goal here is to be able to use traceroute from the router when it is needed while not interrupting traffic between the WAN and the LAN and not facing a circumstance where the carrier throttles us based on ttl values (they shouldn't; our contract with them is explicit about what we are doing, but they do anyway because their monitoring systems are idiotic).
Does anyone know how I might accomplish this? traceroute -I has no effect; the outbound ttl is set to 65 and it doesn't work.