Greetings,
I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default
gw (10.10.0.1/16) for a LAN . VPN users (10.4.0.0/16) come into the LAN
from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the VPN
users hit a server return packets are sent to the default gw. I was
expecting the OpenBSD server to generate an ICMP redirect and all would be
well. Unfortunately that is not happening. Instead the firewall is sending
a host unreachable (yet the fw can ping the VPN host).
Any pointers would be appreciated. Here's some relevant info:
[EMAIL PROTECTED] tcpdump -nei fxp2 icmp
09:57:26.797397 0:2:a5:60:58:50 0:8:2:ce:99:65 0800 70: 10.10.0.251 >
10.10.0.11: icmp: host 10.4.0.67 unreachable
09:57:28.984736 0:2:a5:60:58:50 0:8:2:ce:99:65 0800 70: 10.10.0.251 >
10.10.0.11: icmp: host 10.4.0.67 unreachable
[EMAIL PROTECTED] ping 10.4.0.67
PING 10.4.0.67 (10.4.0.67): 56 data bytes
64 bytes from 10.4.0.67: icmp_seq=0 ttl=128 time=66.969 ms
[EMAIL PROTECTED] netstat -rn | grep 10.4
10.4/16 10.10.0.254 UGS 0 61208 - fxp2
[EMAIL PROTECTED] ifconfig carp2
carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
carp: MASTER carpdev fxp2 vhid 3 advbase 1 advskew 100
groups: carp
inet 10.10.0.1 netmask 0xffff0000 broadcast 10.10.255.255
[EMAIL PROTECTED] ifconfig fxp2
fxp2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:02:a5:60:58:50
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.10.0.251 netmask 0xffff0000 broadcast 10.10.255.255
inet6 fe80::202:a5ff:fe60:5850%fxp2 prefixlen 64 scopeid 0x3
[EMAIL PROTECTED] pfctl -s rules |grep 10.4
pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16
pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16
[EMAIL PROTECTED] sysctl -a |grep redi
net.inet.ip.redirect=1
net.inet.icmp.rediraccept=1
net.inet.icmp.redirtimeout=600
net.inet6.ip6.redirect=1
net.inet6.icmp6.rediraccept=1
net.inet6.icmp6.redirtimeout=600
