ICMP Redirects after a few days
-
Hi,
I have the following setup:
4 WAN connections (2 cablemodems, 2 ADSL PPPOE)
2 LAN, one for the bussiness side (where i have multiple subnets, with the switch doing L3-routing duty) and one for the BYOD side (no routing enabled on the switch).My problem was that from time to time pfSense would start misbehaving and sending ICMP redirects claiming the nexthop out from the network was the switch's IP (i had an IP for the switch on the BYOD side).
Now, when doing a Diagnostics - Routes, said route is NOT available so… i can't understand WHY pfSense starts sending, after a few days, those redirects.Now, i need the switch to have it's IP for the IP-Helper Option 82 to work, but not for routing.
Why are those Redirects happening when there is NO hop on that ip?
-
Ok, update. I disabled redirects in the advanced settings, applied the setting and even rebooted. After a few minutes the system again tells the clients on the BYOD lan to use the switch as a next hop. I repeat, there are NO routes with that IP in the diagnostics page and the switch is configured to drop everything but DHCP requests on that ip… i'm baffled. Why is pfSense sending redirects when it's configured not to? and why to the switch?
-
If you have default gateway switching on and you lose the WAN that is the default gateway pfSense can choose the inside L3 Switch as the default gateway.
I believe there is an open report on this. You probably want to figure out alternative solutions so you can turn default gateway switching off in the meantime.
-
Not this case, all WAN links are working OK. and even then, the Ip for the switch is NOT configured anywhere in the pfSense box (The ip the redirect points to, the real inter-vlan-gateway is in the other lan interface). It doesnt even know it from ARP so i don't understand where the ICMP is coming from. I'm 2 minutes from blocking ICMP inside that VLAN…
-
You will have to provide more specific information. A diagram might be best. ICMP redirects are sent when a router port receives traffic to be routed and the best route is back out the interface on which it arrived.
-
Let's try this:
pfSense box has 6 nics (virtual, thru vmware, esxi does the tagging and untagging)
4 WAN
2 LANThe 2 lans are
10.1.10.x /24 - Normal LAN side
10.1.30.x /24 - Hot LAN side (BYOD)Static routes are:
10.1.0.0/24
10.1.20.0/24
10.1.40.0/24
10.2.0.0/16All of them go thru 10.1.10.254, which is the inter-vlan-router (switch/router has an IP on most vlans on the last IP of the range).
Now, i added the 2nd LAN, configured it with 10.1.30.1, created the rule to pass the traffic onto the gateway group i want and it works.
Like i said before, i DISABLED ICMP redirection on the pfSense box:
net.inet6.ip6.redirect 0
net.inet.ip.redirect Enable sending IP redirects 0And it still, from time to time, stops routing and attemps to redirect people to 10.1.30.254, ip that is NOT a gateway nor does it route.
-
You almost certainly have something buggered up somewhere.
Probably want to packet capture and perhaps examine the MAC addresses that are actually sending the redirects at the time to be sure things are how they appear. Probably not.
-
Yes, packet capture led to a not-yet-powered-off AP that for some reason still was cabled to the network and had the same IP as the gateway. From time to time the IP collision was won by that AP and the redirects began. All hail Wireshark, but i had to wait until today to get time to do some real packet capture…
Thanks for the help.
