Small ISP asked to whitelist all of their IPs

Question

We are running a dedicated server as a shared hosting for ~100 clients.

This week, a small ISP asked use to whitelist the range of their IPs because all of his clients can't see our websites.

I'm not a server/network guy, I only know the minimum to be able to manage the server. Is that a legit request? I feel like I should not just whitelist a bunch of IPs. It seems like it a problem on the IPS's side, but I'm not sure.

They sent us a screenshot of their tracert to our server, the routing seems fine, but before getting to our server, they loop into a "Request timed out".

I tried the same command in cmd and got a really similar result, I get 2-3 "Request timed out" but finally get a response from my server.

I don't know how this kind of routing works, but I would guess that if they get timed out, whitelisting them would change nothing.

Thank you

If you don't actively blacklist IPs, whitelisting them won't do anything. — ceejayoz, May 14 '19 at 18:17

score 4 · Accepted Answer · answered May 14 '19 at 16:36

Should you whitelist all of their ip addresses?

Not without some additional testing, investigation, and discussion. Look for the ISP's ip addresses in your router, firewall, and web server logs. Do you see them being actively blocked?

Tracert isn't a website testing tool. It's an ICMP testing tool. Their tracert results tell you nothing about why they can't reach your website. ICMP traffic may be blocked at any point in the path from them to you. This is not a valid reason for whitelisting their ip addresses.

score 4 · Answer 2 · answered May 14 '19 at 18:10

This is a valid request - but the main question is why the heck it is even needed.

See:

because all of his clients can't see our websites.

Why did you blacklist them to start with? See, most websites do not even have a blacklist mechanism for IP Addresses.

The only reason you would normally blacklist addresses for access to a website are when the website is sort of critical / scope limited and even then you normally do not bother.

I don't know how this kind of routing works,

As per site rules you should no ask here then, but have a competent admin that knows the basics. This is not a routing issue - likely there are some internal IP addresses on the way (that can not return a ping) or equipment that disables ping (tons of bad admins around that do that - while actually ICMP DOES serve a purpose during TCP setup). This happens regularly for certain ISP's - as long as the "black hole" ends (as it does in your case), this is just how it works.

I did not blacklist any of their IPs and they didn't get flagged by our firewall/anit-spam. By logic, whitelisting them would change nothing because I do not block them. I'm pretty sure it's not a issue on our side, but since I do not know networking, I can't really answer them with confidence. That's why I posted here. — g_marchildon, May 15 '19 at 14:29

Small ISP asked to whitelist all of their IPs

2 Answers2