I’d like the ability for the Peplink Balance firmware to generate ICMP unreachable replies. The use I have in mind is specifically to prevent packets for not-already-routed RFC1918 addresses from leaking out the WAN ports, but I can envision some other scenarios where this would be handy.
On a regular Linux box, I would write something like:
iptables -A FORWARD -o wan -d 10.0.0.0/8 -j REJECT --reject-with icmp-net-unreachable
iptables -A FORWARD -o wan -d 172.16.0.0/12 -j REJECT --reject-with icmp-net-unreachable
iptables -A FORWARD -o wan -d 192.168.0.0/16 -j REJECT --reject-with icmp-net-unreachable
ip route add unreachable 10.0.0.0/8 metric 250
ip route add unreachable 172.16.0.0/12 metric 250
ip route add unreachable 192.168.0.0/16 metric 250
I like the second option a little less – network unreachable seems more appropriate than host unreachable here – but it’s safer in the case where one of the WAN connections is itself in RFC1918 space.
The Balance firmware lets me add static routes, but only unicast routes, not unreachable routes. It also lets me configure “deny” firewall rules, but these seem to simply discard traffic, while I want to notify the sender that the packet could not be forwarded.