[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: wierd static route problem
 Date:  Thu, 7 Apr 2005 17:28:52 -0400 
On Apr 7, 2005 5:01 PM, Jesse Guardiani <jesse at wingnet dot net> wrote:
> On Wed, 06 Apr 2005 20:37:39 -0400, Chris Buechler wrote:
> 
> > On Apr 5, 2005 3:34 AM, Jesse D. Guardiani <jesse at wingnet dot net> wrote:
> >>
> >> 1.) A ping from the m0n0wall webgui to 192.168.90.3 seems to work, but
> >>    please examine the below tcpdump output, taken from 192.168.90.3
> >>    during the ping test, and tell me if anything looks incorrect:
> >>
> >> 03:04:11.410313 IP 192.168.89.1 > 192.168.90.3: icmp 64: echo request
> >> seq 0
> >> 03:04:11.475002 IP 192.168.90.3 > 192.168.89.1: icmp 64: echo reply seq
> >> 0
> >> 03:04:11.416746 IP 192.168.89.1 > 192.168.90.3: icmp 64: echo request
> >> seq 0
> >> 03:04:11.416816 IP 192.168.90.3 > 192.168.89.1: icmp 64: echo reply seq
> >> 0
> >
> > I just tried this, and got the same result from either m0n0wall itself
> > or directly from a client machine.
> 
> Tried what? Please be more specific.
> 

m0n0wall (LAN) is 10.0.40.1 (/24)
server at 10.0.40.3
PC at 10.0.40.21

Added alias ('ifconfig em0 inet 10.0.10.2 netmask 255.255.255.255
alias' on FreeBSD) on the server in question.

Added static route to m0n0wall, on LAN interface, pointing
10.0.10.2/32 to 10.0.40.3.

With Ethereal going, tried to ping 10.0.10.2 from 10.0.40.21.  First
ping went through, routed by m0n0wall, ICMP redirect was sent from
m0n0wall, subsequent pings went through without touching m0n0wall.  I
could hit http://10.0.10.2, ssh to 10.0.10.2, etc.  Everything I tried
worked fine.

One thing I just thought of was that these services aren't strictly
bound to the 10.0.10.2 IP, they're bound to all IP's.  Regardless,
that shouldn't matter.


> 
> > Assuming they're all on the same subnet, the adding a static route to
> > the host working makes no sense.  If m0n0wall has a static route to
> > something out the same interface it came in on, it'll bounce back an
> > ICMP redirect, and the host machine, if it accepts ICMP redirects
> > (pretty much every OS does by default), will communicate without even
> > touching m0n0wall on subsequent traffic.
> 
> That's just it. I haven't seen any ICMP redirects from m0n0wall for this.
> I have a production m0n0wall machine doing a static route just fine, but
> the static route gateway points to a cisco router. I'm just trying to
> figure out why it doesn't work when I point the static route gateway to
> a Linux machine.
> 

Yeah I didn't see any ICMP redirects either in your tcpdumps.  With
that static route added, go to exec.php and run a 'route print
1.2.3.4/32' (replaced with the IP of the route) and see what comes
back.

You're using 1.2b7, I reverted my production box back to b3.  One
other difference is you're using OPT, I'm using LAN.  I'm curious if
you try a pre-5.3 version if it works as intended.  I'll see if I can
try a b7 test box, and try an OPT interface.


> I've tried all
> sorts of programs, like `ping -I 192.168.90.3 192.168.89.1` with the
> same results. 

What's 'ping -l' on Linux?  (out of curiosity)  That's for preload on
FreeBSD, so that command isn't syntactically valid.

-Chris