ICMP Redirect - Why is it occurring and how to disable?

jprez1980

Hey All -

I am curious why my pings appear to be a bit different than usual after installation of PFSense.  I have a basic network (1 gateway - LAN: 192.168.0.254 (PFSense), a 24 port PoE switch and 4 wireless access points that are also connected to the switch.  Everything is on the same private network.

Attempting to ping any other local LAN device while connected via one of the access points results in what I believe is an ICMP redirect:

ping 192.168.0.252
PING 192.168.0.252 (192.168.0.252): 56 data bytes
36 bytes from PFSENSE (192.168.0.254): Redirect Host(New addr: 192.168.0.252)
Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
4  5  c0 0054 e34c  0 0000  40  01 140e 192.168.0.66  192.168.0.252

64 bytes from 192.168.0.252: icmp_seq=0 ttl=64 time=3.118 ms
36 bytes from PFSENSE (192.168.0.254): Redirect Host(New addr: 192.168.0.252)
Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
4  5  c0 0054 b243  0 0000  40  01 4517 192.168.0.66  192.168.0.252

64 bytes from 192.168.0.252: icmp_seq=1 ttl=64 time=3.161 ms
^C

However, hardwired connections do not have this redirect when pinging.  The access points get their LAN IP from DHCP (via PFSense) so it seems odd to me that WiFi connected devices experience this ICMP redirect only.  Any ideas?

On a side note, I've also noticed trace routes are slightly different.  LAN devices connected via ethernet do not show the PFSense hop however WiFi connected devices do show the 192.168.0.254 (PFSense) hop in the trace route.

Thanks

robi

What kind of access points are these, and how are they configured?

heper

client isolation on accesspoints ?

Gertjan

@heper:

client isolation on accesspoints ?

… and also client isolation among access points ?

johnpoz

what do wired clients show as their first hop, or you saying they don't just get an answer?

C:>tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

1    <1 ms    <1 ms    <1 ms  pfSense.local.lan [192.168.9.253]
  2    10 ms    8 ms    9 ms  96.120.24.113
  3    14 ms    10 ms    13 ms  te-0-5-0-8-sur04.mtprospect.il.chicago.comcast.net [68.85.180.133]
  4    13 ms    10 ms    12 ms  te-3-11-0-0-ar01.area4.il.chicago.comcast.net [69.139.202.129]
  5    12 ms    12 ms    12 ms  be-33491-cr02.350ecermak.il.ibone.comcast.net [68.86.91.165]

IF pfsense is the first hop, then it should show up as such..

jprez1980

@johnpoz:

what do wired clients show as their first hop, or you saying they don't just get an answer?

C:>tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

1    <1 ms    <1 ms    <1 ms  pfSense.local.lan [192.168.9.253]
  2    10 ms    8 ms    9 ms  96.120.24.113
  3    14 ms    10 ms    13 ms  te-0-5-0-8-sur04.mtprospect.il.chicago.comcast.net [68.85.180.133]
  4    13 ms    10 ms    12 ms  te-3-11-0-0-ar01.area4.il.chicago.comcast.net [69.139.202.129]
  5    12 ms    12 ms    12 ms  be-33491-cr02.350ecermak.il.ibone.comcast.net [68.86.91.165]

IF pfsense is the first hop, then it should show up as such..

They do not see the PFSense hop - on an internal trace route.  On a WiFi connected device also tracing an internal IP the PFsense hop does appear however.

jprez1980

@robi:

What kind of access points are these, and how are they configured?

These are the Aruba IAP-225 access points - so far, it appears to be something occurring as a result of IPv6 - I turned off IPv6 in PF Sense on the LAN and WAN, released and renewed all clients and rebooted all access points and so far…things are working as normal.

Going to experiment a bit more later this evening to see if thats truly the source of the problem.

johnpoz

ipv6 would have nothing to do with an ipv4 traceroute.

Are you saying your trace was coming back as ipv6?

As to not seeing first hop, lets ask this again are you saying your first hop was showing pubic IP??  Not pfsense?  Or did it come back without an answer

1 * * *
2 isp gateway

or what it

1 isp gateway.