Re: Generating ICMP Redirects

Thu, 19 Jan 2006 07:55:05 -0800 

On Thu, Jan 19, 2006 at 10:32:40AM -0500, Steven S wrote:
> Greetings,
> 
> I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default
> gw (10.10.0.1/16) for a LAN .  VPN users (10.4.0.0/16) come into the LAN
> from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the VPN
> users hit a server return packets are sent to the default gw.  I was
> expecting the OpenBSD server to generate an ICMP redirect and all would be
> well.  Unfortunately that is not happening.  Instead the firewall is sending
> a host unreachable (yet the fw can ping the VPN host).
> 
> Any pointers would be appreciated.  Here's some relevant info:
> 
> [EMAIL PROTECTED] tcpdump -nei fxp2 icmp
> 09:57:26.797397 0:2:a5:60:58:50 0:8:2:ce:99:65 0800 70: 10.10.0.251 >
> 10.10.0.11: icmp: host 10.4.0.67 unreachable
> 09:57:28.984736 0:2:a5:60:58:50 0:8:2:ce:99:65 0800 70: 10.10.0.251 >
> 10.10.0.11: icmp: host 10.4.0.67 unreachable
> 
> [EMAIL PROTECTED] ping 10.4.0.67
> PING 10.4.0.67 (10.4.0.67): 56 data bytes
> 64 bytes from 10.4.0.67: icmp_seq=0 ttl=128 time=66.969 ms
> 
> [EMAIL PROTECTED] netstat -rn | grep 10.4
> 10.4/16            10.10.0.254        UGS         0    61208      -   fxp2
> 
> [EMAIL PROTECTED] ifconfig carp2
> carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         carp: MASTER carpdev fxp2 vhid 3 advbase 1 advskew 100
>         groups: carp
>         inet 10.10.0.1 netmask 0xffff0000 broadcast 10.10.255.255
> [EMAIL PROTECTED] ifconfig fxp2
> fxp2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
>         lladdr 00:02:a5:60:58:50
>         media: Ethernet autoselect (100baseTX full-duplex)
>         status: active
>         inet 10.10.0.251 netmask 0xffff0000 broadcast 10.10.255.255
>         inet6 fe80::202:a5ff:fe60:5850%fxp2 prefixlen 64 scopeid 0x3 
> 
> [EMAIL PROTECTED] pfctl -s rules |grep 10.4
> pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16
> pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16
> 
> [EMAIL PROTECTED] sysctl -a |grep redi
> net.inet.ip.redirect=1
> net.inet.icmp.rediraccept=1
> net.inet.icmp.redirtimeout=600
> net.inet6.ip6.redirect=1
> net.inet6.icmp6.rediraccept=1
> net.inet6.icmp6.redirtimeout=600
> 

What about sysctl net.inet.ip.forwarding? Is it set to 1?

-- 
:wq Claudio

Reply via email to