How to get traceroute working

Stealthing the router will mean that certain things don't work correctly, like Traceroute. If you try a traceroute from in Windows, it will only return the last step, and not all the ones in between, as shown below:

A failed traceroute screen

In order for the results to be returned you need a rule to allow ICMP Type 11 packets in. The rule you need to add is shown below:

The Add IP FIlter screen

The numbered settings are the ones you need to change:

1 - Set the Rule ID so that it is 5 above the stealth rule, so that it is processed after it.

2 - Make sure that Action is set to Accept, so that the packets can get in.

3 - It is Incoming packets we want to let through, so set this to Incoming.

4 - I have set the interface to ppp-0, as this is the WAN interface (the internet connection), and is the only place I would expect these packets to come from.

5 - Here is where you specify that the packets this rule should apply to should be Equal (eq) to ICMP.

6 - Here we further narrow it down to ICMP Type 11, which is the specific type of ICMP packet we want to let in.

Then click Submit to add the rule.

The screen showing a lost of IP Filter Rules

The rule is now in your IP Filters rules list, and traceroute will work:

A successful Traceroute

You may not want this rule active all the time, so to disable it, click on the little pencil above the Stats button. You will get the following pop up:

Modifying an existing IP Filter Rule

Select Disable, and the rule will be disables, and the Green blob by the rule on the main rule list will turn Red, indicating that it is disabled.