VPN - Routing Issue - Only Linux Hosts

johnpoz

Why would you arp for something that is not on your network?

12:34:16.425303 ARP, Request who-has 172.25.10.11 tell 172.26.10.153, length 46
12:34:17.424494 ARP, Request who-has 172.25.10.11 tell 172.26.10.153, length 46
12:34:18.424525 ARP, Request who-has 172.25.10.11 tell 172.26.10.153, length 46

Your arping for 25.10.11 from 26.10.253

looks like 10.253 redirect your icmp request, and it sent you back a reply.. but clearly this seems to be different network because your not getting arp back.

DungaBee

172.26.10.253 is my pfSense firewall.

172.26.10.153 is the linux machine that gets 1 ping reply and then none after that.

172.26.0.0\16 is my local LAN

172.25.0.0/16 is the other side of the tunnel.

I know that didn't exactly solve the issue, but does that help in your figuring out why traffic is not being routed?

Thank you.

DungaBee

Wait a minute…..

172.26.10.253 is my wireless router.

.254 is pfSense.

It would see that the wireless router (being used as just an access point) is somehow trying to do more than just drop the wireless clients on to the LAN.

Could it being trying to find the route itself for some reason?

Derelict

Unplug it, get everything else working, then add it back properly configured.  I'm starting to smell a duplicate IP address somewhere.

stephenw10

Some of this traffic is going over wifi?
That packet capture was on the pfSense LAN interface I assume?
Are you using static IPs or DHCP? Check the DHCP leases are coming from pfSense if you are.

.253 is not actually shown. I think that's just a misread of .153. Your wifi access point does not appear to be involved at all.

Try running a similar packet capture while pinging from a Windows client for comparison.

Steve

stephenw10

What's that ICMP redirect doing?
It appears, to my untrained eyes, to be pfSense(172.26.10.254) telling your client(172.26.10.153) that to reach the remote host(172.25.10.11) there's a better router going directly via 172.25.10.11.  :-\

DungaBee

Here is a ping from my laptop (172.26.10.50) to a host across the VPN (172.25.10.11)

DHCP is in use, but I am certain only pfSense is giving out addresses.  I reviewed the wireless router setup numerous times and it looks good in that regard:

Good Ping from Windows

14:41:21.359361 IP 172.26.10.50 > 172.25.10.11: ICMP echo request, id 1, seq 417, length 40
14:41:21.359526 IP 172.26.10.254 > 172.26.10.50: ICMP redirect 172.25.10.11 to host 172.25.10.11, length 36
14:41:21.384430 IP 172.25.10.11 > 172.26.10.50: ICMP echo reply, id 1, seq 417, length 40
14:41:22.359116 IP 172.26.10.50 > 172.25.10.11: ICMP echo request, id 1, seq 418, length 40
14:41:22.359274 IP 172.26.10.254 > 172.26.10.50: ICMP redirect 172.25.10.11 to host 172.25.10.11, length 36
14:41:22.383116 IP 172.25.10.11 > 172.26.10.50: ICMP echo reply, id 1, seq 418, length 40
114:41:23.364131 IP 172.26.10.50 > 172.25.10.11: ICMP echo request, id 1, seq 419, length 40
14:41:23.364276 IP 172.26.10.254 > 172.26.10.50: ICMP redirect 172.25.10.11 to host 172.25.10.11, length 36
14:41:23.388422 IP 172.25.10.11 > 172.26.10.50: ICMP echo reply, id 1, seq 419, length 40

Failed Ping to Same hose from Linux machine (172.26.10.153)

14:43:50.070739 IP 172.26.10.153 > 172.25.10.11: ICMP echo request, id 2305, seq 1, length 64
14:43:50.070924 IP 172.26.10.254 > 172.26.10.153: ICMP redirect 172.25.10.11 to host 172.25.10.11, length 36
14:43:50.099853 IP 172.25.10.11 > 172.26.10.153: ICMP echo reply, id 2305, seq 1, length 64
14:43:51.072299 ARP, Request who-has 172.25.10.11 tell 172.26.10.153, length 46
14:43:52.070287 ARP, Request who-has 172.25.10.11 tell 172.26.10.153, length 46
14:43:53.070345 ARP, Request who-has 172.25.10.11 tell 172.26.10.153, length 46
14:43:54.088953 ARP, Request who-has 172.25.10.11 tell 172.26.10.153, length 46
14:43:55.086226 ARP, Request who-has 172.25.10.11 tell 172.26.10.153, length 46
14:43:56.086409 ARP, Request who-has 172.25.10.11 tell 172.26.10.153, length 46

johnpoz

And again your ARPing for a IP that is NOT on your network!!!

14:43:51.072299 ARP, Request who-has 172.25.10.11 tell 172.26.10.153, length 46

You get a redirect from 10.254 ???  Who is that?  You say you pfsense is .253
14:43:50.070924 IP 172.26.10.254 > 172.26.10.153: ICMP redirect 172.25.10.11 to host 172.25.10.11, length 36

And now your client at 26.10.153 is arping for that IP vs sending it out to its gateway.  No shit its never going to get an answer to that.

DungaBee

172.26.10.254 is pfSense.

I misspoke when I said it was .253 earlier, my fault.

So, to be clear.

| pfSense | 172.26.10.254 |
| Windows Machine | 172.26.10.50 |
| Linux Machine | 172.26.10.153 |
| Host on other end of Tunnel | 172.25.10.11 |

So, the initial redirect by pfSense seems to be correct, but then what would trigger the ARPing?

I am not even sure the function of that, so I am pretty lost  :)

Thanks again for your help!

johnpoz

Why is doing a redirect? A redirect normally can happen when there a better route..

"The interface on which the packet comes into the router is the same interface on which the packet gets routed out."
"The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet."

This is when cisco routers would send a redirect.

Do you have some issues with your masks on your interfaces..  How exactly do you have this site to site setup, are you not using a transient network?

I ping a vpn client from a box on my lan and this is what a capture looks like on the pfsense lan

15:17:15.135118 IP 192.168.1.100 > 10.0.200.6: ICMP echo request, id 1, seq 1, length 40
15:17:15.333586 IP 10.0.200.6 > 192.168.1.100: ICMP echo reply, id 1, seq 1, length 40
15:17:16.142803 IP 192.168.1.100 > 10.0.200.6: ICMP echo request, id 1, seq 2, length 40
15:17:16.320914 IP 10.0.200.6 > 192.168.1.100: ICMP echo reply, id 1, seq 2, length 40

You don't know what a arp is?

You could turn off redirects I would think  net.inet.ip.redirect set to 0

What does the traceroute look like?

stephenw10

I suspect pfSense is sending the redirect all the time but Windows and IOS are ignoring it.
Disabling redirects in pfSense should at least prove this but why is it sending them at all? I assume it must be some misconfiguration in the VPN setup.

Steve

DungaBee

Turning OFF redirects in the "System Tunables" worked!!

net.inet.ip.redirect set to 0

But, do you think there is a setup issue in the VPN that is really the culprit?

I'd like to fix the root cause and learn from this, if possible.

Thanks again and let me know what you think.

johnpoz

We don't have anything of worth to work with here, other than saying he has a vpn connection to this other network.  We don't have routing table off the pfsense box, etc.

Makes no sense that pfsense would send a redirect when it should be routing the traffic down the tunnel.  Is the mask wrong on the network in pfsense?  And it thinks that network is local?

Really needs some more details on how pfsense vpn is setup, off what interface?  Routing table off pfsense would help for sure.

Derelict

As would a diagram properly documented with network and interface addresses.

DungaBee

Thanks guys.

I'm heading out of office for the day but will post a diagram with details tomorrow and you can tell me what else to add to help figure it out.

Hopefully as I document it, perhaps something will jump out.

For now at least it works, even if I've just sort of put a band-aid on it.

Thanks again and talk to you tomorrow!

stephenw10

Yes, seeing how your vpn interface is configured should be revealing.
One thing that seems like it can cause this is having both subnets on the same interface. I'm struggling to see how that might apply here though.

Steve

phil.davis

From a quick scan of this thread, I would guess that the netmask/CIDR on pfSense has been set (accidentally) to cover both the 25 and 26 networks - 172.26.10.254/15 (or smaller) would cover all that and cause pfSense to think that 172.25.n.n is on its LAN and thus send a redirect message back to the client.

johnpoz

^ Agreed, I never understand how people come in here asking without some diagram.. I can not believe a company that has multiple locations and a site to site vpn do not have a network drawing??

heper

you create docs/schematics ?
some of us seem to have the luxury of collegues and spare time ….

i only know people who get abused by their employer todo a 5-man-job ; on their own    :D

stephenw10

Yes, unfortunately it doesn't surprise me at all. And in fact i'd go further and say that very often network issues can be caused by an existing network diagram that's out of date or just plain wrong. I have always found it prudent to assume nothing. Perhaps just my own experience.  ::)

Steve