Ping Redirect

justincase

Hello

I have setup an IPsec tunnel using pf 2.0.

Traffic and ping are ok for every computer on the LAN - 192.168.X.0/24 - to the remote network - 192.168.I.0/24
Traffic or ping are not ok from pf LAN gw - 192.168.X.Y

Problem comes with remote network domain name resolution using DNS forwarder.

As a workaround, I added:

• a gateway on LAN interface with pf IP address (192.168.X.Y)
• a static route to remote network via LAN GW (192.168.I.0/24 via 192.168.X.Y)
  -> traffic and ping are now ok for pf gw to remote network, but… I get ping redirect message when pinging from a machine on the LAN network (192.168.X.Z), to a machine on the remote network (192.168.I.J).

36 bytes from pf.lan (192.168.X.Y): Redirect Host(New addr: 192.168.I.J)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 97c5   0 0000  40  01 e41c 192.168.X.Z  192.168.I.J

64 bytes from 192.168.I.J: icmp_seq=0 ttl=62 time=52.776 ms
36 bytes from pf.lan (192.168.X.Y): Redirect Host(New addr: 192.168.I.J)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 13f2   0 0000  40  01 67f0 192.168.X.Z  192.168.I.J

64 bytes from 192.168.I.J: icmp_seq=1 ttl=62 time=50.836 ms

Is it the correct solution?
What are the best practices in such a situation?
Can we avoid having a LAN GW and static route for DNS resolution?
Is it possible to avoid the ping redirect?

Thank you.

jimp

The ICMP redirect is what allows you to reach the other network via the other gateway. That redirect is normal.

justincase

My bad. Thank you for answering.