Why do we need to redirect our Google DNS(8.8.8.8, 8.4.4.4, 4.2.2.2) ICMP traffic, Let me tell you about a real incident…In 2016, I was working as a consultant for One of my ISP clients and they had almost 2000 broadband users. So at first, One of their competitors made a stupid marketing strategy and said to other isp customers that in our network you can reach google DNS in 1ms and also they claimed that if google DNS ping is less than 2ms then your isp is providing you the proper bandwidth and all the end customers were trusting them on that rubbish statement.
So every day, my ISP client used to complain to me about it that how can we make it 1ms in our network, but in reality it’s not possible because the distance was almost above 2500km from my customer NOC to the google DNS server. So when I said to my client that it is a fake ping and don’t trust that, my client was not believing me and he was arguing with me to have that fake ping solution, My Isp client used to say that I need that solution anyhow so that I can fight with my competitors…So I tried it in my home lab for DNS ping redirection and finally, it worked perfectly and ultimately I get a ping in 1 ms to 8.8.8.8 but that was a fake ping but my client was very very happy and he was like crazy.
So What did I do for that..!!..??
See, Again and again, i am mentioning here that, It’s really a stupid thing to do in the network because you can’t make your customers fool with fake ICMP Echo requests and replies. But as an ISP they need to fight with their competitors because their competitors are showing the fake ICMP report of google DNS and the end-users were trusting that because the end-users are not technically efficient, and also my client was losing the business due to that stupid marketing strategy by their competitors.
So basically I configured an ICMP redirection in Mikrotik for 8.8.8.8 . so the ICMP request & replies for 8.8.8.8 shouldn’t go to the internet and instead it should be redirected to one of my Lan or wan interface IP . Even the ICMP traceroute will be redirected to my LAN interface ip of Mikrotik.
So you can give any IP in one of your interfaces and configure this below-given rule in Mikrotik and you will see that your Mikrotik will respond on ping when the users will ping to 8.8.8.8. and the ICMP traffic
to 8.8.8.8 will stay in LAN only.
Let’s look at the configuration.. I already have one IP configured in one of my interfaces.
Before we confogure ICMP redirection ,Lets check the actual latency to 8.8.8.8.
[Mikrotik-Home] > ping 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 119 48ms
1 8.8.8.8 56 119 47ms
2 8.8.8.8 56 119 47ms
3 8.8.8.8 56 119 47ms
4 8.8.8.8 56 119 47ms
sent=5 received=5 packet-loss=0% min-rtt=47ms avg-rtt=47ms max-rtt=48ms
[Mikrotik-Home] >
//////////As you can see above ,The Actual Latency is 47ms. Now lets go ahead and configure a new IP Address on one port and to that IP we will redirect the ICMP traffic for 8.8.8.8
//IP Address Configuration..
/ip address
add address=10.11.12.1/32 comment=DNS-FAKE-PING interface=ether5 network=10.11.12.1
//Now Lets configure a redirection of ICMP for 8.8.8.8
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=8.8.8.8 protocol=icmp to-addresses=10.11.12.1
Note:-My LAN IP is 10.11.12.1
//Now Lets test it in one of my customer..!!
[Mikrotik-Home] > ping 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 64 0ms
1 8.8.8.8 56 64 1ms
2 8.8.8.8 56 64 1ms
3 8.8.8.8 56 64 0ms
4 8.8.8.8 56 64 1ms
5 8.8.8.8 56 64 1ms
sent=6 received=6 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=1ms
[Mikrotik-Home] >
///As you can see above Now its 0-1 ms. Now lets trace to 8.8.8.8 through ICMP and UDP.
[Mikrotik-Home] /tool> traceroute protocol=icmp 8.8.8.8
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 8.8.8.8 0% 18 1.2ms 1 0.4 1.3 0.3
-- [Q quit|D dump|C-z pause]
//Now you can see above that ,its showing that 8.8.8.8 is directly connected..Now let's trace by using UDP.
[Mikrotik-Home] /tool> traceroute protocol=udp 8.8.8.8
Note:-The UDP traceroute will go to actual destination and same you can
see below..!!
[Mikrotik-Home] /tool> traceroute protocol=udp 8.8.8.8
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 10.9.18.2 0% 3 0.4ms 0.8 0.4 1.1 0.3
2 10.x.x.6 0% 3 1.1ms 1.2 1.1 1.4 0.1
3 13.x.x.9 0% 3 0.7ms 0.6 0.4 0.7 0.1
4 10.1.21.30 0% 3 74.4ms 56.1 47 74.4 12.9
5 45.x.x.2 0% 3 46.7ms 47.1 46.7 47.4 0.3
6 74.x.244.x 0% 3 46.3ms 46.8 46.3 47.2 0.4
7 216.x.49.x 0% 3 46.9ms 47.1 46.8 47.7 0.4
8 100% 3 timeout
9 100% 2 timeout
10 100% 2 timeout
11 100% 2 timeout
12 100% 2 timeout