If you replaced the Switch with the OpenBSD Firewall below, then your routing issues will go away. It'll require work on your end but after all is said and done, you won't need to change anything or even rely on the hosts for their ability or inability to understand advanced routing or any dhcp options.
With your present setup with the default route being the the OpenBSD Firewall/Router, even if you were to get the icmp-redirect issue sorted out, as soon as there is any fragmentation you may run into problems. I had a similar experience to what you are trying to solve below. I hope this helps. Mark T. Uemura OpenBSD Support Japan Inc. www.openbsd-support.com > internet_connection - 192.168.11.1/32 ---------------+ > Default Route | > OpenBSD 3.7 | > In my control 100% | > | > remote_site - 192.168.11.2/32 -------------+ | > 192.168.12.0/24 | | > Cisco 2620, IOS 12.0 | | > Only Cisco router in my control Cisco Catalyst 2900 Switch > | | | > Hospital_site - 192.168.11.3/32 -------------+ | | > a.b.c.0/24 | | > Cisco 1720 - T1 | | > Cisco PIX 506E | | > | | > Government_site - 192.168.11.4/32 ---------------+ | > w.x.y.0/24 | > Cisco 1720 - T1 | > Cisco PIX 506E | > Rest of 192.168.11.0/24 -----------+ > > All systems have the default route to be the OpenBSD system. On > that box, the static routes are: > > route add 192.168.12.0/24 192.168.11.2 # remote_site packets > route add a.b.c.0/24 192.168.11.3 # Hospital packets > route add w.x.y.0/24 192.168.11.4 # government packets
