ICMP redirect of ICMP works, of TCP does not (always)

RouterOS General
1

Hi,

I have the following environment in different "places":
Internet <- Mikrotik+OSPF <- LAN <- linux router+OSPF (in LAN) <- VPN (OpenVPN, tap + OSPF)

The servers in the LAN does have the Mikrotik as default gateway.

As a sample,
VPN host: 172.17.16.1
Mikrotik 172.16.8.240
Linux router (sato) 172.16.8.7
Linux generic box (sarin) 172.16.8.14

When i try to connect from a host in the VPN, i'm not able to reach the Linux generic box (sarin, 172.16.8.14).
But if i ping the Linux generic box, this is working.
Just after the ping, in the linux routing table (cache) the proper record pop in.

ip route show cache

172.17.16.1 via 172.16.8.7 dev eth0
cache expires 298sec

I was testing 6.47.8 and 6.49.7 version of Mikrotik.
I've not seen any changelog line related to ICMP redirect, or redirect which are not for http(s) and similar protocol.

I've made a tcpdump and the following can be observed:

  • when i make tcp a connection without having the routing cache, i see a 108 bytes ICMP redirect from Mikrotik to the Linux generic box
  • still the Linux generic box ignore it (the cache is not populated)
  • when i make a udp connection without having the routing cache, i see a 132 bytes ICMP redirect from Mikrotik to the Linux generic box
  • the Linux generic box immediately populate the entry in the routing cache
  • when i make a udp connection with the routing cache (eg, because i pinged the host) the connection works (clearly, the local routing table override the generic as intended)

I've not asked the Linux kernel/networking team, but with pfsense this setup is working (at least by memory) without any issue.
Unfortunately, i don't have anymore the pfsense setup to be tested.
Also, i wish to come back with more meaningful information to them, eventually.

Seems to me that the problem can be related to the kind/content of ICMP redirect.
As mentioned, the 108 bytes sent for a TCP redirect are ignored, the 132 bytes ICMP redirect are accepted.

I'm attaching the tcpdump output.

Any help is welcome.

Thanks,
Daniel (he/him)
sarin-replicate.pcap.zip (3.2 KB)