VyOS ICMP set source address

ethamitc · March 6, 2024, 9:22am

Hello,

I’m running VyOS as a BGP router for a public ipv4 network. When you ping one of the IP’s behind the router (eg 12.34.5.2), it shows the routers IP address as the one provided to me by my transit provider. but I would like it to show my IP address instead (12.34.5.1), any help on how to accomplish this is appreciated!

n.fort · March 6, 2024, 10:29am

Use tab for completion help to check options for ping:

vyos@14:~$ ping 12.34.5.2 
Possible completions:
  <Enter>               Execute the current command
  adaptive              Ping options
  allow-broadcast
  audible
  bypass-route
  count
  deadline
  do-not-fragment
  flood
  interface
  interval
  ipv4
  ipv6
  mark
  no-loopback
  numeric
  pattern
  quiet
  record-route
  size
  source-address
  timestamp
  tos
  ttl
  verbose
  vrf

      
vyos@14:~$ ping 12.34.5.2 source-address 
Possible completions:
  <Enter>               Execute the current command
  <x.x.x.x>             Ping options
  <h:h:h:h:h:h:h:h>

      
vyos@14:~$ ping 12.34.5.2 source-address y.y.y.y

aldemaro · March 6, 2024, 11:11am

I think he means the opposite: when the VyOS router is responding to external ping requests.

As far as I know the linux kernel will use the first IP on the interface to answer ping requests.

ethamitc · March 6, 2024, 7:49pm

This is correct, I want to change the IP address the router responds with. With it being the linux kernal I presume theirs no way to change that?

16again · March 13, 2024, 5:24pm

afaik, ping reply is always sourced from the ip as used in the destination in echo-request.
otherwise , remote host will be confused, by seeing a reply from another address than ping was sent to.
Hower, traceroute ttl timeouts will be sent from source IP on interface sending the packet.

Apachez · March 14, 2024, 10:41pm

For traceroute either the interface where the packet arrived at will be used to send the “ICMP TTL Exceeded” or the loopback interface if such exists - I dont recall which one the Linux kernel prefer.

If you for whatever reason want to manipulate this you can setup a SNAT rule for that.

aldemaro · March 29, 2024, 1:50pm

After some digging I found that setting net.ipv4.icmp_errors_use_inbound_ifaddr to zero will make the kernel repose to be originated by the address, not the interface.

aldemaro@staging-1-4-0# set system sysctl parameter net.ipv4.icmp_errors_use_inbound_ifaddr value 0

ethamitc · March 29, 2024, 7:22pm

Thank you so much, this worked!