The traceroute page, located at Diagnostics > Traceroute, works like the traceroute command found on many platforms. It sends special packets which, as the name implies, trace a route across the network from this firewall to a remote host.
The results include a list of hops between hosts along with response times, as long as the intervening hosts support (or do not filter) traffic required for traceroute to work.
This document also includes a detailed explanation of how traceroute functions.
The GUI page to perform a traceroute contains the following options which control the behavior of the test:
A hostname or IP address to which the firewall will trace the route.
- IP Protocol
The address type the firewall will use when a hostname has both A (IPv4) and AAAA (IPv6) records.
- Source Address
The IP address from which the firewall will send the trace.
This is especially important when testing LAN-to-LAN VPN connectivity.
- Maximum number of hops
The maximum length of the path to trace.
The trace will stop if the path cannot be traced completely after this number of hops.
- Reverse Address Lookup
When checked, traceroute will attempt to perform a PTR lookup to locate hostnames for hops along the path.
This option slows down the process as it has to wait for DNS replies.
- Use ICMP
By default, traceroute uses UDP but that may be blocked by some routers. Check this box to use ICMP instead, which may succeed.
The page will display output once the trace is complete. Press the Stop button at any time to see the current output of the trace if it is still running or stalled.
How Traceroute Works¶
Every IP packet contains a time-to-live (TTL) value. When a router passes a packet it decrements the TTL by one. When a router receives a packet with a TTL of 1 and the destination is not a locally attached network, the router returns an ICMP error message “Time-to-live exceeded” and drops the packet. This limits the impact of routing loops, which otherwise would cause each packet to loop indefinitely.
Traceroute uses this TTL to its advantage to map the path to a specific network
destination. It starts by sending the first packet with a TTL of
first router (usually the default gateway) will send back an ICMP time-to-live
exceeded error. The program outputs the time between sending the packet and
receiving the ICMP error along with the IP address that sent the error and its
reverse DNS, if any. After sending three packets with a TTL of
displaying their response times it increments the TTL to
2 and sends three
more packets. It outputs the same types of information for the second hop.
Traceroute increments the TTL and repeats the process until it reaches the
specified destination or exceeds the maximum number of hops.
Traceroute functions slightly differently on Windows and Unix-like operating systems (BSD, Linux, macOS, Unix, etc.). Windows uses ICMP echo request packets (pings) while Unix-like systems use UDP packets by default. ICMP and UDP are layer 4 protocols, and traceroute is done at layer 3, so the protocol is largely irrelevant except when considering firewall rules and policy routing configurations. Traceroute from Windows clients will be policy routed based on rules which permit ICMP echo requests, while Unix-like clients will be policy routed by rules matching UDP.
In this example,
traceroute is used to view the route to
# traceroute www.google.com traceroute: Warning: www.google.com has multiple addresses; using 18.104.22.168 traceroute to www.l.google.com (22.214.171.124), 64 hops max, 40 byte packets 1 core (172.17.23.1) 1.450 ms 1.901 ms 2.213 ms 2 172.17.25.21 (172.17.25.21) 4.852 ms 3.698 ms 3.120 ms 3 bb1-g4-0-2.ipltin.ameritech.net (126.96.36.199) 3.275 ms 3.210 ms 3.215 ms 4 188.8.131.52 (184.108.40.206) 8.791 ms 8.593 ms 8.891 ms 5 220.127.116.11 (18.104.22.168) 8.460 ms 39.941 ms 8.551 ms 6 22.214.171.124 (126.96.36.199) 10.376 ms 8.904 ms 8.765 ms 7 188.8.131.52 (184.108.40.206) 19.479 ms 20.058 ms 19.550 ms 8 220.127.116.11 (18.104.22.168) 20.547 ms 19.761 ms 22.214.171.124 (126.96.36.199) 20.131 ms 9 188.8.131.52 (184.108.40.206) 30.184 ms 220.127.116.11 (18.104.22.168) 21.337 ms 21.756 ms 10 iw-in-f99.google.com (22.214.171.124) 19.793 ms 19.665 ms 20.603 ms
The output shows that it took 10 hops to reach the destination and the latency generally increased with each hop, which is expected.
When utilizing policy routing, such as with Multi-WAN, the firewall
itself may not appear as a hop in traceroute. When policy routing is
pf does not decrement the TTL when forwarding packets, so
traceroute cannot detect the firewall as an intermediate router.