ICMP - redirect host (5:1)

RouterOS General
1

Hi all!

I changed my FreeBSD gateway with a RB1000 (it’s great).

After change it I started to receive some strange message on ping response sometimes when I “ping” a customer from my AP (not from the RB1000)

My structure is the follow:

internet------RB1000(GW)--------- RB433H(AP) ------- customers

Some information about my structure:

  • The customers are on the network 200.X.X.0/24
  • The administrative network is 192.168.1.0/24 (all RB that are working as AP are on this network)
  • The RB1000 is working as gateway of my network and I’m using 2 NICs (eth1 and eth2)
  • On the ETH2 of RB1000 I’ve the IPs 192.168.1.1 (gateway of the RBs) and 200.x.x.1 (gateway of the customers)
  • On the ETH1 of RB1000 is connected with the internet
  • The RB433 is working as AP and it’s configurated as BRIDGE. I’ve 1 wireless card on this RB433 where the customers are registrated. On the RB433 I’ve the IP 192.168.1.2 and the gateway of it is 192.168.1.1.

I can ‘ping’ the customers from the RB433. But sometimes I’ve received the follow message from the gateway:
192.168.1.1 92 byte redirect host (5:1) time=4 ms

When my gateway was a FreeBSD I never received this message. The problem started after I change the FreeBSD with a RB1000.

Does someone know what’s happening? Why do I receive the redirect icmp message?

Thanks in advanced

2

You receive this message because icmp packet is sent and received through the same interface. What happens in your case is that AP does not know how to reach client directly. From AP packet is being sent to RB1000 and then RB1000 is routing back to AP and then to client.
If you don’t like these messages you can drop them in firewall.

3

you cannot drop these in the output chain on the source though correct? i have tried and failed…

4

Hi guys, thanks for the replys!

I drop the response on the output chain of my RB1000.

I stranged it becau when the gw was a FreeBSD and never saw this message.

best regards!

5

I believe that FreeBSD disabled these messages in kernel.

6

OH MY GOD HOLY FUQING SHTIFFT !!

mrz, you do realize that this is a major problem these ICMP messages, right?

I have verified this to be a problem in the case when routing to+from same interface. A router having two networks on the interface, routing from one to the other. Verified v3.30 and v4.5 have the problem.

The problem actually consists of the slowing down or not delivering a service, when a client from the one subnet requests it from a server from the other. Because the router sends these ICMP redirect messages to the client, and obviously the client does not take these well :wink:

MY GOOOOD HOW MANY PROBLEMS WE HAD BECAUSE OF THIS !!! TONS AND TONS AND THE WASTED TIME !!! GOD !!!

7

this is normal routing stuff… even 15 years ago I would see the cisco boxes do this. If you route something back out the same interface it came in on then ICMP redirects should go out. Why hit the router if its on the same wire? Many clients these days will ignore them for security reasons. Now on the other hand, I have seen major memory leaks in Mikrotik because of this (when acting as a client to these messages). I still havent pinpointed that exactly.

8

Memory leaks? Seems like you are applying for a developer :wink: How did you spot one ? :slight_smile:

Why hit the router if its on the same wire?

Different subnets :slight_smile: example - clients with public IPs and clients with private IPs :slight_smile:

9

I have a network of:

(10.1.1.0/24)----[10.1.1.1=ROUTER-A=10.1.2.125]-----(10.1.2,3,4.0/24)[.1=ROUTER-B=]

Where Router A has Router B as it’s gateway. If a host on 10.1.1.0/24 pings a host on 10.1.3.0/24 the first ping gets a reply, everything after fails. Looking into it more, after the first ping ROUTER-B sends an icmp redirect message to the host on 10.1.3.0/24, however as far as I can tell this is against the RFC (see below)
http://www.networksorcery.com/enp/protocol/icmp/msg5.htm
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml
As ICMP redirect messages should only be sent if the host and the nexthop are on the SAME subnet, which they are not.

Browsing the forums I found that a rule dropping redirects would fix it and it does, but this appears to be non-rfc complaint?

/ip firewall filter
add action=drop chain=output disabled=no icmp-options=5:0-255 out-interface=\
    bridge1 protocol=icmp

Is this a bug in mt then?

10

Oh, don’t worry. Linux kernel does that and other things. Recently I discovered zombie IGMP frames coming out of the routers, when provoked with other IGMP frames. Just drop 'em if they interfere.

11

I get a similar message from ICMP. Can you give me an explanation of this message?

0 xxx.yyy.zzz.sss 84 64 53ms redirect host
0 xxx.yyy.zzz.sss 84 64 115ms redirect host
0 xxx.yyy.zzz.eee 56 255 125ms TTL exceeded
1 xxx.yyy.zzz.sss 84 64 0ms redirect host
1 xxx.yyy.zzz.eee 56 255 4ms TTL exceeded
2 xxx.yyy.zzz.sss 84 64 0ms redirect host
2 xxx.yyy.zzz.eee 56 255 4ms TTL exceeded
3 xxx.yyy.zzz.sss 84 64 0ms redirect host
3 xxx.yyy.zzz.eee 56 255 4ms TTL exceeded
4 xxx.yyy.zzz.sss 84 64 0ms redirect host
4 xxx.yyy.zzz.eee 56 255 4ms TTL exceeded
5 xxx.yyy.zzz.eee 56 255 135ms TTL exceeded
6 xxx.yyy.zzz.sss 84 64 0ms redirect host
6 xxx.yyy.zzz.eee 56 255 4ms TTL exceeded



Where :
xxx.yyy.zzz.eee is the IP of the provider


And xxx.yyy.zzz.sss is the IP of the core router

The target IP is an IP inside the public IP range

let’s say the range is rrr.www.qqq.0/24

and the target IP is rrr.www.qqq.ttt