On 2018-05-03 Martin Pieuchot <m...@openbsd.org> wrote: > On 02/05/18(Wed) 14:45, Christopher Zimmermann wrote: > > On 2018-05-02 Martin Pieuchot <m...@openbsd.org> wrote: > > > On 02/05/18(Wed) 11:47, Christopher Zimmermann wrote: > > > > I just want to bring this up again. Can some network guru give me an ok > > > > or some feedback please? > > > > > > Can you explain with words why we shouldn't send a redirect? The > > > comment above your diff states clearly: > > > > > > "If forwarding packet using same interface that it came in on, > > > perhaps should send a redirect to sender to shortcut a hop." > > > > > > So you're suggesting no to do that, why? > > > > That's not exactly what I'm suggesting. > > > > In this setting: > > > > A 192.168.4.7 <--> 192.168.4.1 Gateway 192.168.1.1 <--> 192.168.1.2 B > > > > I observed this senseless redirect: > > > > 192.168.4.1 > 192.168.4.7: icmp: redirect 192.168.1.2 to host 192.168.4.1 > > in plain language it means: > > "Hi 192.168.4.7, I'm 192.168.4.1. You sent me a packet for 192.168.1.2. > > I'm not the best route, next time send it to 192.168.4.1." > > So the gateway is instructing host 192.168.4.7 to use gateway > > 192.168.4.1 instead of 192.168.4.1. (this is not a typo!) > > How does your routing table looks like?
% doas ifconfig vlan2 vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 index 7 priority 0 llprio 3 encap: vnetid 2 parent em2 status: active inet 192.168.4.1 netmask 0xfffffff0 broadcast 192.168.4.15 % doas route -n show -inet Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 62.27.93.143 UGS 5 63324 - 8 pppoe0 224/4 127.0.0.1 URS 0 0 32768 8 lo0 62.27.93.143 85.212.225.8 UHh 1 1 - 8 pppoe0 85.212.225.8 85.212.225.8 UHl 0 1589 - 1 pppoe0 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 9 1131 32768 1 lo0 192.168.0/22 192.168.4.1 UGS 0 314 - 8 vlan2 <- this is the culprit 192.168.4.0/28 192.168.4.1 UCn 2 0 - 4 vlan2 You'll note I manually (Flag S) added this rather senseless route to gateway 192.268.4.1 (Flag G), which is the very same machine. Why did I do this? To prevent leakage of packets which should be routed via IPsec. Without this pseudo-route packets from localhost to 192.168.0/22 would be routed via default route on pppoe0 and have the src IP masqueraded by nat-to 85.212.225.8, which would not be caught by the IPsec flow. If I'm doing something wrong here and should have solved this another way please tell me. Using a "flow esp in from 0.0.0.0/0" would work on the local side, but the remote side would be required to accept packets from arbitrary IPs, too. Christopher -- http://gmerlin.de OpenPGP: http://gmerlin.de/christopher.pub 2779 7F73 44FD 0736 B67A C410 69EC 7922 34B4 2566