ICMP redirects not functional in v1.2?



  • Greetings all,

    I have just replaced my old Nokia IP330 running v1.0.1 with a brand spanking new IP330 with v1.2.  As you might guess from the subject of this message, I was disappointed to find that ICMP redirects are still not working.  I'm sure that this is a non-issue for most people but it is currently an important part of my network.  Unfortunately, the "fix" that I have been using for the past 16 months is not working in v1.2.  The fix was to enable "Bypass firewall rules for traffic on the same interface" and to run the command "sysctl net.inet.ip.redirect=1".  I am including a link to the original thread in which Scott, Bill and Peter were able to help me resolve the problem in v1.0.1.  I am optimistic that one of you may be able to help me get this feature working in v1.2.

    Sincere regards,
    Mitch

    http://www.mail-archive.com/support@pfsense.com/msg07839.html



  • The same thing should still work, are you sure it isn't?

    Will check into it when I get a chance, though that'll likely be a couple weeks at best.



  • Hi Chris,

    The simple test for me is just to ping one of my subnets from a Windows machine and then look for a host route in the routing table.  In v1.0.1, that happens after running the sysctl command.  In v1.2, no entry is added to the routing table after running the sysctl command.  You don't have to put a great deal of effort into this as I can imagine how busy you guys must be.  I have recently got my boss to purchase a layer 3 switch that I plan to install as a boundary router behind my pfsense box.  I'll still have 1 remote subnet that will be difficult to route due to network topology of some remote locations.  I believe that I can route to it using a VLAN and, if so, I will no longer need ICMP redirects.  Just a couple static routes will do the trick.  Nevertheless, I would still like to know how to get redirects working should you or anyone have time to experiment.  In the mean time, I will do some more testing to make sure that I didn't miss anything obvious.

    Thanks,
    Mitch

    Update:  I just tried testing the unit on my workbench and… ICMP redirects worked correctly!  I'm sure that I didn't make a mistake when entering the sysctl command the other night because I triple checked it and rebooted the unit several times trying to get it to work.  I will install it back into the rack later this weekend and keep my fingers crossed.

    Not being very familar with FreeBSD, I have to ask, is there a way to make this setting persistent across reboots?
    sysctl net.inet.ip.redirect=1

    Thanks!
    Mitch



  • I probably should have put this update into a new message in order to get noticed.  ::)

    Update:  I just tried testing the unit on my workbench and… ICMP redirects worked correctly!  I'm sure that I didn't make a mistake when entering the sysctl command the other night because I triple checked it and rebooted the unit several times trying to get it to work.  I will install it back into the rack later this weekend and keep my fingers crossed.

    Not being very familar with FreeBSD, I have to ask, is there a way to make this setting persistent across reboots?
    sysctl net.inet.ip.redirect=1

    Thanks!
    Mitch



  • Search for shellcmd



  • Cool…. that seems to do the trick.  Added the sysctl command to /conf/config.xml under the <system>heading as listed below.

    Thanks Scott!!

    <system>.
    .
    <shellcmd>sysctl net.inet.ip.redirect=1</shellcmd></system></system>


Locked