How do I change the Ubiquiti Security Gateway's default icmp restrictions from inside the LAN?
It seems that my Ubiquiti Security Gateway's default settings will drop icmp packets if I'm doing more than one traceroute at a time, but I can't find any setting anywhere in the Ubiquiti Controller's wui nor the Security Gateway's firewall rules that look like they're limiting icmp.
For example, when monitoring network issues, I like to kick-off a few simultaneous traceroutes to popular ping farms. Below I kick one off to Google's 8.8.8.8 and CloudFlare's 1.1.1.1 at the same time -- with the ping to Google in a terminal just below the ping to CloudFlare.
Note that the first traceroute has 100% packet loss from my Ubiquiti Security Gateway (ubnt) while the one below it has 0% packet loss. If I stop the traceroute on the bottom, then the other traceroute immediately goes from 100% packet loss to 0% packet loss. So this seems like some kind of overly sensitive icmp flood protection or rate limiting.
Where is this set in the Ubiquity Controller? How can I tune these icmp limits on the LAN to be something more sane?
You're hitting the rate limiting of generation of ICMP error responses, which is set to Linux's default of 1 per second.
That's controlled by sysctl
net.ipv4.icmp_ratelimit, which is the number of ms between permitted ICMP error responses. The default 1000 is 1/sec. Set it to something lower like 100 for 10 per second via SSH to USG:sudo sysctl net.ipv4.icmp_ratelimit=100It's not controller-configurable even in config.gateway.json. Appending it to a file or adding new file in
/etc/sysctl.d/will make it persistent other than across firmware upgrades.