ICMP Redirect are not working pfSense 2.3.2

  • Hi.

    Relatated to the attached drawing ICMP redirect from to are not working.
    At i am not seeing any ICMP redirect packed when I am using wireshark.
    Windows firewall are turned off on .40 (MS server 2012 R2)

    An capture from the pfsense are not showing that the pfSense are sending back an icmp redirect packed to .40
    net.inet.ip.redirect are set to value 1 in the pfsense webinterface.
    showctl net.inet.ip.redirect are also showing that the value of net.inet.ip.redirect are 1 (enabled)

    The traffic are rx and tx on the same interface, so "static route filtering" are enabled on the pfSense.

    I have other installation with the exact same setup, and these are working just fine.

    Has anyone a good idea how to get the ICMP redirect to work?

    Kind regards

  • LAYER 8 Global Moderator

    What exactly are you wanting to happen?

    So you want pfsense to redirect to to get to 192.168.0 over your mpls??

    I would call that a borked setup.. Why would you not just connect your mpls cpe to pfsense via a transit network so pfsense knows exactly how to route to 192.168 via the isp cpe router so you don't have to try and hack it to work with a redirects..

  • Hi Johnpoz.

    This is an datacenter customer setup.
    All customers have their own pfsesne and a internal network for servers.

    I know this is not the best solution, otherwise using ICMP redirect are not wrong, and should work just fine.
    I want to use ICMP redirect i that case that i am running out of vlans in our envirement.
    (We are in these days, migrating to NSX and vxlan's.)
    I don't want use cpu resurces to move internal traffic between the customer and the datacenter.
    Typical customers have 1000mbit MPLS connections to the datacenter, and I don't want to use CPU/MEM resources for hundreds of customer's internal traffic.

    Kind regars

  • LAYER 8 Global Moderator

    Ok - its still borked.. Maybe someone else be willing to help.. Contact pfsense direct for support would be my suggestion if you have paying customers with Gig Mpls connections you should be able to pay for some official support ;)

    That is not how it should ever be setup.. I don't help people configure borked configurations ;)  Just makes it look I would condone such a configuration, which I would never do..

    There is a reason they are not enabled out of the box…


    If you do not want to use cycles on the pfsense to route the traffic as it should, then put in a host route so you host knows to talk to .3 out of the gate vs having to wait for a redirect to tell him he is going to the wrong place for that destination.

Log in to reply