All,
I've noticed that if someone performs a traceroute to a 44net address routed via an IPIP tunnel on OpenWRT versions 14 or 15 (tested) results in the router giving the Public, Commercial IP address of the device instead of a 44net IP on tunl0, or any assigned forwarded interface.
Without intricate detail, this is by design of the Operating System, as the kernel re-packets an ICMP TTL Exceeded, and seems not to connect that new pack as RELATED to the Received Packet in which the TTL had Exceeded. This is fine when all local IPs are Private IPs, or should be forwarded via the Kernel's Gateway; but as they are not, and the only gateway the kernel knows is the physical WAN. The ICMP TTL Exceeded Packet is given the Kernel's source address (with Gateway), and sent hence - a leaked TTL Exceeded packet.
Reason: the least computationally difficult method to protect our gateways from rogue packets is to not publicize/announce our Public WAN-facing IP address.
In order to prevent this, a RAW Packet Filter rule for all packets received via tunl0 < 2 can be created, preventing processing of TTL exceeded packets for non-44net IPs:
iptables -t raw -I PREROUTING -i tunl0 -m ttl --ttl-lt 2 -j DROP iptables -t raw -I PREROUTING -s 44.0.0.0/8 -d 44.xxx.xxx.xxx/xx -i tunl0 -m ttl --ttl-lt 2 -j ACCEPT
Those using OpenWRT, please test and confirm issue and its fix.
73,
-Lynwood KB3VWG