Problem with static routes

From:	=?ISO-8859-1?Q?Michael_=D8stergaard_Pedersen?= <michael at bytopia dot dk>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Problem with static routes
Date:	Sat, 15 May 2004 13:26:36 +0200

I have a strange problem with m0n0wall and static routes. My network looks
like this:

    Default GW
        |
       WAN
        |
    +--------+
    |m0n0wall|---DMZ
    +--------+
        |
       LAN----192.168.1.254--.. ..-172.16.1.1

My LAN subnet is 192.168.1.0/24 and the .254 machine is a router that can 
reach the 172.16.0.0/16 network via some MPLS network.

I have added a static route to the LAN interface on the m0n0wall to reach 
the 172.16.0.0/16 network via 192.168.1.254.

When I try to reach 172.16.1.1 from my LAN using the m0n0wall as a default 
gateway strange things happen. If I ping 172.16.1.1 from LAN I get a reply 
and I can see that ICMP redirects are being sent to tell me that 
192.168.1.254 is a more direct route to that host. This is fine. If I try to 
SSH to that host I am prompted for a password. If I enter the password 
correctly the connection hangs. When I check the logs on the m0n0wall I see 
the following:

22:29:23.387117 dc0 @0:68 b 192.168.1.201,40452 -> 172.16.1.1,22 PR tcp len
20 64 -A IN
22:29:23.349785 dc0 @0:68 b 192.168.1.201,40452 -> 172.16.1.1,22 PR tcp len
20 436 -AP IN

Does this mean that this traffic is being dropped by the m0n0wall? It
doesn't make sense to me since dc0 is my LAN interface and I have a rule to
permit all traffic coming in on the LAN interface.

Also since I do get the password prompt from SSH some packets do in fact get 
through. Perhaps only the first one or two?

Any help is appreciated. I can post more info if you need it.