Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Packet rewrite

    General pfSense Questions
    2
    5
    666
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      akghetto
      last edited by akghetto

      Listing this under general forum as I’m not sure any of the other forums are more applicable

      Using pfsense as an edge router; eBGP on my multiple WAN/upstream links and iBGP to other network routers.

      On some of my WAN links they are tunnels, GRE or Wireguard. When doing traceroutes from external networks to downstream routers or other hosts on my network, I am getting “leakage” of the inner-tunnel IP addresses showing up as they pass through the pfsense box; example below.

      The pfsense box isn’t doing NAT on these interfaces, just routing. That said… I need a way to rewrite the ICMP packets to replace or rewrite the inner-tunnel IP with another IP (be it a virtual IP, another interface’s IP, etc) so that traceroutes don't reflect the inner-tunnel IP in any way.

      I have experience doing this in BIRD via the “krt_prefsrc” rewrite variable, but FRR/FreeBSD doesn’t use that so thinking I may be able to do something with NAT??

      Alternatively, there is the system tunable “net.inet.icmp.reply_from_interface” - is it advisable to alter that?

      Thoughts?

      Running 22.01 on a SG-8860.

      Thank you.

      Screen Shot 2022-04-02 at 15.16.53.png

      1 Reply Last reply Reply Quote 0
      • A
        akghetto
        last edited by

        Solved using a combination of two tunables:

        • net.inet.icmp.reply_from_interface=0

        • net.inet.icmp.reply_src=<<iface that you want the IP to reflect in ICMP traffic, e.g. igb0 or em2>>

        1 Reply Last reply Reply Quote 1
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Interesting. What was the reason for not wanting the internal tunnel IPs to show in a traceroute?

          Doing this makes route diagnosis more difficult if there is a ever a problem.

          Steve

          A 1 Reply Last reply Reply Quote 1
          • A
            akghetto @stephenw10
            last edited by

            @stephenw10

            A couple thoughts:

            1. don’t want the inner-tunnel IP showing party due to looking tacky, but also due to security concerns (third parties don’t need to know about the tunnel, IP schemes, etc). Some of my other sites have other routers in play further downstream with non-routeable addresses which even further paints a picture that doesn’t need filled in.

            2. I would argue that having a routeable IP and in-addr PTR makes things more easier to troubleshoot, because you know which box/router the traffic is actually flowing through. The argument could be said in the screenshot from this thread that a network admin really has no idea what path the traffic took between hop 7 and 9. And at the end of the day, whenever you do a traceroute between any points on the public Internet, the vast majority of those hosts have multiple interfaces and the IPs you see could very well be an IP of another interface on that router and not the actual interface your traffic ingress/egressed on… so where as-is you have no info to go on in troubleshooting, and corrected you at least have something to go off of…. I’ll take the latter if it’s me.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Mmm, I could see that. If it works better for you then why not.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.