... > I know this is not the answer to your question and I'd like > to hear how > you wind up getting the OpenBSD box to send the redirects you are > looking for, but relying on redirects to do your routing for anything > length of time is asking for trouble IMHO. You might just be better > off, temporarily, putting the PIX behind the OpenBSD box if > possible or, > if the servers are few, modifying their local route tables > until the new > VPN solution is in place.
We did in fact add static routes to the servers for now (yuck.) I did some more testing on my home fw and it seems that carp interfaces don't like generating ICMP redirects (for me anyhow.) Here is my test, My WS (XP) - 192.168.83.51 My FW (OBSD 3.8)- 192.168.83.1 My server (OBSD 3.8) - 192.168.83.47 My WS normally has a default gw of the FW. My rules to/from the inside LAN to the FW are loose, # pass in quick on $int_if from any to any pass out quick on $int_if from any to any # So I create a route: [EMAIL PROTECTED] sudo route add -net 192.168.80 192.168.83.47 add net 192.168.80: gateway 192.168.83.47 And I pinged 192.168.80.2 from my WS, the FW did the "right thing" [EMAIL PROTECTED] sudo tcpdump -nei fxp1 net 192.168.80 or icmp tcpdump: listening on fxp1, link-type EN10MB 20:54:17.738121 0:11:43:39:e1:59 0:d0:b7:23:c0:e7 0800 74: 192.168.83.51 > 192.168.80.1: icmp: echo request 20:54:17.738340 0:d0:b7:23:c0:e7 0:90:27:42:d4:cc 0800 74: 192.168.83.51 > 192.168.80.1: icmp: echo request 20:54:17.738434 0:d0:b7:23:c0:e7 0:11:43:39:e1:59 0800 70: 192.168.83.1 > 192.168.83.51: icmp: redirect 192.168.80.1 to host 192.168.83.47 Next I created a carp interface on the inside and created a route on my workstation: [EMAIL PROTECTED] sudo ifconfig carp1 create [EMAIL PROTECTED] sudo ifconfig carp1 vhid 1 advskew 100 pass internal 192.168.83.2 netmask 255.255.255.0 [EMAIL PROTECTED] route add 192.168.80.0 mask 255.255.255.0 192.168.83.2 And tried the ping again, [EMAIL PROTECTED] sudo tcpdump -nei fxp1 net 192.168.80 or icmp 21:04:52.711456 0:11:43:39:e1:59 0:0:5e:0:1:1 0800 74: 192.168.83.51 > 192.168.80.2: icmp: echo request 21:04:52.711577 0:d0:b7:23:c0:e7 0:90:27:42:d4:cc 0800 74: 192.168.83.51 > 192.168.80.2: icmp: echo request 21:04:58.043062 0:11:43:39:e1:59 0:0:5e:0:1:1 0800 74: 192.168.83.51 > 192.168.80.2: icmp: echo request 21:04:58.043217 0:d0:b7:23:c0:e7 0:90:27:42:d4:cc 0800 74: 192.168.83.51 > 192.168.80.2: icmp: echo request Odd, since PF allows traffic on fxp1, not carp1. So let's add carp1 to pf... [EMAIL PROTECTED] sudo grep carp /etc/pf.conf pass in quick on carp1 from any to any pass out quick on carp1 from any to any And once again the FW happily routes the packet instead of sending an ICMP redirect. [EMAIL PROTECTED] sudo tcpdump -nei fxp1 net 192.168.80 or icmp tcpdump: listening on fxp1, link-type EN10MB 21:21:21.026831 0:11:43:39:e1:59 0:0:5e:0:1:1 0800 74: 192.168.83.51 > 192.168.80.2: icmp: echo request 21:21:21.026954 0:d0:b7:23:c0:e7 0:90:27:42:d4:cc 0800 74: 192.168.83.51 > 192.168.80.2: icmp: echo request I disabled pf and have the same results. I've hit my knowledge limit so delving into the source would be fruitless and annoying to the rest of you. Should I create a bug report? -Steve S. P.S. I'm not sure why the other box sent "host unreachables" and if I find out more I update the archive.
