Windows 7 ICMP Redirect Broken

dmiller

I know that it does not follow best practices to have routers and firewalls on the same subnet. Let’s just say I’m stuck with it. I have a route setup in my pfSense box  for a remote subnet, which redirects to a LAN connected router. When trying to reach the remote a subnet via the router, the default gateway (PFSENSE)  will send an ICMP redirect to a client, as expected.  TCP connections to that subnet drop with after a short period of time.  Using  wireshark, I discovered Windows 7 clients will stop using the redirect information and start trying to communicate to the default gateway (pfSense  box)  IN THE MIDDLE OF THE CONVERSATION.  pfSense  does not send another ICMP redirect.  It forwards traffic through the LAN NIC for a while, then the connection drops.  After doing some research,  (check out: http://community.spiceworks.com/topic/292861-icmp-redirects )  I discovered ICMP redirects are broken in Windows 7 due to the way the Base Filtering Engine works.  The old Sonicwall I am trying to replace does send a new redirect when Windows 7 gets stupid.  Does anyone know how to get  pfSense to do the same?
I’ve checked the Static Route Filtering to bypass firewall rules on the same interface. This did not help.

lokutus25

This could not be linked to WIndows 7.
I have the same problem with a network Linux Based (Ubuntu). I'm in the middle of a migration of firewalls to pfSense. I have the older firewall still working (Endian), holding a VPN to a remote network.
I have a static route on pfSense telling that when a local address want to reach that remote network, the packets must be routed to the older firewall.
It works but sometime a simple ssh or http connection to a linux on that remote network doesn't work. Fact is that if I try to ping the remote linux, I get the icmp redirect. If I first start an ssh I don't get the icmp redirect (checked with Wireshark).
After the ping and the icmp redirect, the ssh connection start to work.
No windows involved in this. Maybe I'm missing something on my pfSense configuration.
I'm planning to dismiss the old firewall in few days so the problem is not a real problem for me but maybe someone can shed a bit of light here :)
Thanks!!

dmiller

I have not tested this with other operating systems such as Ubuntu. What I do know is that Windows 7 will redirect to an alternative router for a given remote network. Then, during the course of a TCP conversation, the Windows 7 machine will stop talking to the other router and start replying to the MAC of the pfSense box for no apparent reason. I’ve seen it happen at 7 seconds and at 40 seconds into the conversation. Unlike my old Sonicwall, pfSense does not send a new redirect to the Windows 7 PC. If this is happening with other operating systems, all the more reason for it to be addressed.  I say it is  Windows 7 problem because, from what I read, XP will redirect and actually add the route to the routing table.  I would need to find the time to test and confirm.  Micro$oft isn’t going to fix this and there are a ton of Windows 7 machines out there.  It should also be tested  with that new “sorry  business users…we are going after the tablet and smart phone market” Operating System  known as Windows 8.

neik

I am having this problem too. It's a real pain. My ssh session drops after a few 10s of seconds. Ping works fine, but I am using Putty on Windows 7, and it closes the ssh session promptly.

Has anyone reported this in the bug tracker?