Destination Host Unreachable

Question

Destination Host Unreachable

Hi all,

I have recently switched ou Internet service provider from a ADSL to a cable provider.

While testing the access to our company server I ran into an small but annoying problem.

After installing the cable providers modem I had to change it to Bridge mode, so my AEBS would handle all the NAT and port and firewall stuff together with SERVER.

The new ip address which is a fixed one form spo.virtua.com.br is 201.6.116.2. I can access it from everywhere EXCEPT!!!! my home. HAHA.

My home is also on a cable from netvirtua, the cable provider. If I do a trace route or ping to the sites it always goes to a server of virtue.com.br by the number of 177.141.228.1 from there they cannot find my IP address.

Now... I am not dying because of this problem... but would like to understand the issue and know if there is a way to solve it and if there is other problems hidden that I am not aware of.

I show a ping and trace route annexed.

Does anyone have an explanation?

Ping foi iniciado...

PING froelicher.org (201.6.116.2): 56 data bytes

Request timeout for icmp_seq 0

36 bytes from b18de401.virtua.com.br (177.141.228.1): Destination Host Unreachable

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst

4 5 00 5400 5253 0 0000 3e 01 e195 10.0.1.184 201.6.116.2

Request timeout for icmp_seq 1

36 bytes from b18de401.virtua.com.br (177.141.228.1): Destination Host Unreachable

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst

4 5 00 5400 fbb2 0 0000 3e 01 3836 10.0.1.184 201.6.116.2

Request timeout for icmp_seq 2

Request timeout for icmp_seq 3

Request timeout for icmp_seq 4

Request timeout for icmp_seq 5

36 bytes from b18de401.virtua.com.br (177.141.228.1): Destination Host Unreachable

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst

4 5 00 5400 62c7 0 0000 3e 01 d121 10.0.1.184 201.6.116.2

Traceroute foi iniciado...

traceroute to froelicher.org (201.6.116.2), 64 hops max, 72 byte packets

1 10.0.1.1 (10.0.1.1) 1.996 ms 0.972 ms 1.078 ms

2 b18de401.virtua.com.br (177.141.228.1) 53.919 ms 25.975 ms 39.281 ms

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

8 * * *

9 * * *

10 * * *

11 * * *

12 * * *

13 * * *

14 * * *

15 * * *

16 * * *

17 * * *

18 * * *

19 * * *

20 * * *

21 * * *

22 * b18de401.virtua.com.br (177.141.228.1) 3325.365 ms !H 849.976 ms !H

Mac mini Server (Mid 2010), OS X Server

Posted on Aug 9, 2014 10:54 AM

Reply

Answer 1

Aug 9, 2014 2:59 PM in response to Pierre Froelicher1

One clue is, my own home IP address is in the same subnet as virtuas server.

When I make a reverse lookup for my IP address, it does not come to my domain...but gets blocked at virtua's server firewall.

Now.. what do I have to ask them to change?? I am not so savvy as to know what they must change on their name servers..or wherever..

Your IP is 177.141.229.223

Online service Reverse lookup

Reverse lookup – Gets hostname by IP address

Reply

Answer 2

Aug 9, 2014 3:20 PM in response to Pierre Froelicher1

After installing the cable providers modem I had to change it to Bridge mode, so my AEBS would handle all the NAT and port and firewall stuff together with SERVER.

It is much more common to use the ISP's devices to provide DHCP (NAT) and provide the FireWall. Then your AEBS in Bridge mode provides the actual WiFi Access point.

What is required for advanced Server to work is correct forward and reverse lookup of your Fully Qualified Domain Name <--> IP Address of your Server.

Inside your network, it can look up to a "private" IP Address in one of the range of 192.168.xxx.yyy, 176.xxx.yyy.zzz, or 10.xxx.yyy.zzz ranges. If this does not already work automatically, you need to set up a DNS Server somewhere inside your Network, or use the ISP's DNS and Port Forwarding to go outside and back in again.

Outside your Network, your ISP needs to provide a mapping to your Router's IP Address, and you use Port forwarding to forward to the Manual, fixed IP Address of your Server. Or you need to buy a DNS mapping from somebody, because the Internet cannot see the private IP Addrsses inside your Network. Do you have an Internet-visible Fully Qualified Domain Name that uniquely identifies your Network?

Reply

Answer 3

MrHoffman

Level 10

152,769 points

Aug 10, 2014 1:17 AM in response to Grant Bennet-Alder

Grant Bennet-Alder wrote:

After installing the cable providers modem I had to change it to Bridge mode, so my AEBS would handle all the NAT and port and firewall stuff together with SERVER.

It is much more common to use the ISP's devices to provide DHCP (NAT) and provide the FireWall. Then your AEBS in Bridge mode provides the actual WiFi Access point.

I usually use the ISP modem in its bridged setting, my own firewall doing NAT (preferably with an embedded VPN server), then AirPort or Time Capsule providing Access Point (bridged) access to the private network.

Inside your network, it can look up to a "private" IP Address in one of the range of 192.168.xxx.yyy, 176.xxx.yyy.zzz, or 10.xxx.yyy.zzz ranges. If this does not already work automatically, you need to set up a DNS Server somewhere inside your Network, or use the ISP's DNS and Port Forwarding to go outside and back in again.

Ayup. To elaborate on that, 192.168.0.0/16, 172.16.0.0/12 (that's also 172 and not 176, too), or 10.0.0.0/8, and preferably not in a subnet in one of the private blocks that is likely to be used elsewhere, as VPNs don't work well when the same IP subnet is in use on both ends of the connection.

FWIW, it's not usually correct to have public IP addresses behind NAT. (Do you have a block of public static IP addresses?)

If the external IP address is referenced from within the NAT'd network, the device performing NAT will have to reflect it back into the network. Or your local DNS configuration will be split-horizon or split-brain; configured as authoritative for the same DNS name(s) you're using in the public DNS services — split-horizon DNS can have its own configuration and management hassles — and translate the domain name to the local address. Otherwise — my usual recommendation — you use a subdomain of your registered domain or a separate domain you've registered or (less desirably) a bogus domain.

But if you're not getting the traffic sent to the external address to the target server, then either your local IP routing is misconfigured (and unless you have a block of public IP addresses, it's unusual to use public addresses on a private network — NAT is the usual solution, or sometimes using IPv6 if your ISP is clueful or if you set up a tunnel), or the device performing NAT is not reflecting the traffic back into the network (I haven't used AirPort or TC for this), or the device performing NAT is reflecting the traffic somewhere that's not getting a response — see if the traffic is getting to the target based on the log files on the server, is but not making it back to the client.

Reply

Answer 4

Aug 13, 2014 8:04 PM in response to MrHoffman

Mr Hoffmann, Grant,

Thanks for you excellent suggestions.

I do not want to use the ISP's modem because I run SERVER and it works well together with the AEBS.

After much pondering I phone my ISP provider NET and they sent me a more or less qualified person, who, after checking which hosts where open, confirmed that my setting with bridge mode and fixed IP on the AEBS should just work fine. After some testing he came to the conclusion that "they" forgot to register my modem as a fixed IP modem. Now "nearly" everything works. My site is up and running. However!!!! The problem that I cannot access the site from my home, only from there!! still persists.

I show you a trace route from ping.eu (which is in Europe) and from my home. I asked the ISP for help...but they just tell me to switch off the modem HAHA.

FROM EUROPE (It work...altough it does not get to my IP address 201.6.116.2

ops max, 60 byte packets

1

static.121.168.4.46.clients.your-server.de

46.4.168.121

de

0.947 ms

1.028 ms

1.051 ms

2	hos-tr3.juniper2.rz13.hetzner.de	213.239.224.65	de	0.509 ms
hos-tr2.juniper1.rz13.hetzner.de	213.239.224.33	de	0.152 ms
hos-tr1.juniper1.rz13.hetzner.de	213.239.224.1	de	0.273 ms

3	core22.hetzner.de	213.239.245.121	de	0.272 ms
core21.hetzner.de	213.239.245.81	de	4.110 ms
core22.hetzner.de	213.239.245.121	de	0.272 ms

4	core11.hetzner.de	213.239.245.221	de	2.770 ms	2.786 ms
core12.hetzner.de	213.239.245.29	de	2.766 ms

5

juniper4.rz2.hetzner.de

213.239.245.26

de

2.765 ms

3.078 ms

2.758 ms

6	r1nue1.core.init7.net	77.109.135.101	ch	2.925 ms
r1nue2.core.init7.net	82.197.163.29	ch	3.313 ms
r1nue1.core.init7.net	77.109.135.101	ch	2.925 ms

7	r1***1.core.init7.net	77.109.140.253	ch	24.149 ms	24.208 ms
r1nue1.core.init7.net	77.109.140.153	ch	2.872 ms

8

r1***1.core.init7.net

77.109.140.253

ch

23.383 ms

23.396 ms

23.105 ms

9	r1nyc2.core.init7.net	77.109.140.106	ch	84.871 ms	84.988 ms
r1nyc1.core.init7.net	77.109.140.194	ch	85.048 ms

10	r1nyc2.core.init7.net	77.109.140.106	ch	85.079 ms

11	ebt-BP1111-tcore01.spo.embratel.net.br	200.230.220.45	br	203.793 ms	*

12	ebt-B12-tcore01.spoph.embratel.net.br	200.230.158.29	br	203.619 ms
ebt-BP1111-tcore01.spo.embratel.net.br	200.230.220.45	br	202.088 ms	201.870 ms

13

ebt-T0-7-0-3-uacc03.spoph.embratel.net.br

200.230.159.77

br

200.752 ms

200.448 ms

200.611 ms

14	200.843 ms
netservicos-T0-0-0-1-uacc03.spoph.embratel.net.br	200.212.132.2	br	200.407 ms	200.813 ms

15	c9062ac5.virtua.com.br	201.6.42.197	br	200.750 ms
netservicos-T0-0-0-1-uacc03.spoph.embratel.net.br	200.212.132.2	br	200.732 ms	201.958 ms

16	c90600c6.virtua.com.br	201.6.0.198	br	203.346 ms
c9062ac5.virtua.com.br	201.6.42.197	br	203.718 ms
c90600c6.virtua.com.br	201.6.0.198	br	203.346 ms

17	c906218d.virtua.com.br	201.6.33.141	br	211.409 ms	228.337 ms
c90600c6.virtua.com.br	201.6.0.198	br	203.550 ms

18	c906218d.virtua.com.br	201.6.33.141	br	212.486 ms

19

*

20

*

21

*

No reply for 3 hops. Assuming we reached firewall.

And from my home (it does not work!!)

Traceroute foi iniciado...

traceroute to embatek.com.br (201.6.116.2), 64 hops max, 72 byte packets

1 10.0.1.1 (10.0.1.1) 1.845 ms 1.144 ms 0.920 ms

2 * b18de401.virtua.com.br (177.141.228.1) 1094.118 ms *

3 * * *

4 * * *

5 * * *

6 * * *

7 * * *

It seems this 177.141.228.1 router is blocking access.

Anybody has a suggestion WHAT I have to ask for them to change?

Thanks

Pierre

8 * * *

Reply

Answer 5

Aug 13, 2014 8:10 PM in response to Grant Bennet-Alder

Grant,

Thank you for your reply. I like the AEBS as router, since it works with the SERVER app well together. Inside my network I have DNS working (Mr. Hoffman helped me some years ago to get it going).

Now..outside with my new ISP I still have these problems. My domain is embatek.com.br, which should resolve to 201.6.116.2, my static IP.

However, from some places it resolves to just that..in other it resolves reverse to my ISP's router c9067402.static.spo.virtua.com.br.. a phenomena which I cannot understand neither do I know if this is normal or by design.

Yours

Pierre

Reply

Answer 6

MrHoffman

Level 10

152,769 points

Aug 14, 2014 8:42 AM in response to Pierre Froelicher1

Pierre Froelicher1 wrote:

Mr Hoffmann, Grant,

Thanks for you excellent suggestions.

I do not want to use the ISP's modem because I run SERVER and it works well together with the AEBS.

After much pondering I phone my ISP provider NET and they sent me a more or less qualified person, who, after checking which hosts where open, confirmed that my setting with bridge mode and fixed IP on the AEBS should just work fine. After some testing he came to the conclusion that "they" forgot to register my modem as a fixed IP modem. Now "nearly" everything works. My site is up and running. However!!!! The problem that I cannot access the site from my home, only from there!! still persists.

I'd check with the ISP and find out of the routing has been updated — switching to a static address usually means the firewall has been moved out of the DHCP pool that is used for dynamic-assigned addresses, and there are associated routing changes with this change. These include different gateway router address associated with the new IP address within the firewall — these network settings can be statically assigned by you or can be provided by DHCP — yes, you can get static addresses via DHCP — depending on the ISP.

Confirm that your external static IP address is as correct, including as configured on your AEBS, if you're using that as your firewall.

The times I've worked on something similar, it's either been an incorrect setting within the local firewall (wrong public IP address, wrong next-hop router in the firewall, wrong subnet, etc), or an ISP routing configuration issue. The ISP routing cases generally either clear up after a half day or so, or take a call to the ISP to resolve.

I prefer running a server-grade firewall, so it's usually something like:

ISP modem configured as a bridge >
firewall configured with VPNs and NAT >
switch >
your internal network: AEBS configured as an access point, server, printer, whatever

If it's within budget, a firewall-based DMZ can partition the server from the rest of the internal network, which can isolate breaches when the firewall and the DMZ are configured securely.

Reply

Answer 7

Aug 20, 2014 2:45 PM in response to MrHoffman

When I check, access to my site from another place it goes correctly to the IP.

Only from my house it gets stuck at

1 10.0.1.1 (10.0.1.1) 1.845 ms 1.144 ms 0.920 ms

2 * b18de401.virtua.com.br (177.141.228.1) 1094.118 ms *

From other places it goes like this:

Traceroute foi iniciado...

traceroute to embatek.com.br (201.6.116.2), 64 hops max, 72 byte packets

1 192.168.0.1 (192.168.0.1) 25.423 ms 536.210 ms 13.033 ms

2 b120c801.virtua.com.br (177.32.200.1) 43.423 ms 84.139 ms 25.084 ms

3 c9067402.static.spo.virtua.com.br (201.6.116.2) 37.286 ms 22.654 ms 22.181 ms

The guys at netvirtua in brasil cannot figure this one out... I have no clue WHAT I have to ask them to do.

If anyone can give me hint...would be great.

Yours

Pierre

Reply

Answer 8

MrHoffman

Level 10

152,769 points

Aug 21, 2014 8:05 AM in response to Pierre Froelicher1

If the target host is 201.6.116.2 as it appears, then you're apparently getting to the target IP. Next step involves confirming the IP return path from the device (that's the gateway router setting in your gateway box — the "next hop" that's used for returning IP packets) though you're clearly getting ICMP requests back, and also probing for a firewall block; using telnet or another client to probe specific and confirmed, known-open ports. For a few of these cases, I've ended up connecting a "scratch" box directly to the network (assuming the connection is bridged), to get the gateway-router-firewall box out of the way.

The reverse DNS is incorrect, but that won't adversely affect IP routing.

Reply