Greeting guys,

I`ve done one thing with Mikrotik and icmp redirect feateure. Just one simple experiment.

I`ve got one simple network setup like this >>

172.16.0.0/23 ---- MIKROTIK ----- 10.0.0.0/24 -----GW 10.0.0.254

Ive configured the default gw at the mikrotik box as 10.0.0.254 and NATed the 172.16.0.0/23 to the ip address which belongs to the 10.0.0.0/24 so it can access the internet.

ip conf;

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; HOME LAN
172.16.0.1/23 172.16.0.0 172.16.0.255 MYLAN
1 ;;; interneti
10.0.0.252/24 10.0.0.0 10.0.0.255 INTERNET

nat conf;

1 src-address=172.16.0.0/23 action=nat to-src-address=10.0.0.252

route conf;

DST-ADDRESS G GATEWAY DISTANCE INTERFACE

2 S 0.0.0.0/0 r 10.0.0.254 1 INTERNET
4 DC 172.16.0.0/23 r 0.0.0.0 0 MYLAN
5 DC 10.0.0.0/24 r 0.0.0.0 0 INTERNET

This setup works fine like this, but I`ve changed the gateway of the mikrotik box to 10.0.0.253 which happens to be a linux server with ip forwarding enabled

Controls IP packet forwarding

net.ipv4.ip_forward = 1

[root@linuxi all]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.0.0.254 0.0.0.0 UG 0 0 0 eth0


Normally when the traffic will be directed to this host it will send an icmp redirect message indicating that this is not the best recepit of the message giving back a message like this;

Sep 4 02:48:01 linuxi kernel: IN= OUT=eth0 SRC=10.0.0.253 DST=10.0.0.252 LEN=573 TOS=0x00 PREC=0xC0 TTL=64 ID=32847 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=10.0.0.254 [SRC=10.0.0.252 DST=193.203.227.129 LEN=545 TOS=0x00 PREC=0x00 TTL=127 ID=47416 DF PROTO=TCP SPT=3520 DPT=80 WINDOW=63489 RES=0x00 ACK PSH URGP=0 ]

The thing is that the mikrotik box still continues sending traffic to 10.0.0.253 even if it got edhe icmp redirect message which can be seen from this log;

Sep 4 03:01:38 nikonet kernel: IN=eth0 OUT=eth0 SRC=10.0.0.252 DST=159.148.147.196 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=50890 DF PROTO=TCP SPT=3597 DPT=80 WINDOW=64240 RES=0x00 ACK FIN URGP=0
Sep 4 03:01:53 nikonet kernel: IN=eth0 OUT=eth0 SRC=10.0.0.252 DST=195.22.198.37 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=50939 DF PROTO=TCP SPT=3552 DPT=80 WINDOW=63569 RES=0x00 ACK FIN URGP=0
Sep 4 03:01:53 nikonet kernel: IN=eth0 OUT=eth0 SRC=10.0.0.252 DST=195.22.198.37 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=50940 DF PROTO=TCP SPT=3552 DPT=80 WINDOW=63569 RES=0x00 ACK URGP=0
Sep 4 03:02:53 nikonet kernel: IN=eth0 OUT=eth0 SRC=10.0.0.252 DST=195.22.198.37 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=51011 DF PROTO=TCP SPT=3555 DPT=80 WINDOW=64240 RES=0x00 ACK FIN URGP=0
Sep 4 03:02:53 nikonet kernel: IN=eth0 OUT=eth0 SRC=10.0.0.252 DST=195.22.198.37 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=51012 DF PROTO=TCP SPT=3555 DPT=80 WINDOW=64240 RES=0x00 ACK URGP=0
Sep 4 03:03:08 nikonet kernel: IN=eth0 OUT=eth0 SRC=10.0.0.252 DST=216.10.124.145 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=51029 DF PROTO=TCP SPT=3572 DPT=80 WINDOW=63562 RES=0x00 ACK FIN URGP=0


The question is;

Should the mikrotik box have changed it`s gateway to 10.0.0.254 after it got the icmp redirect message or something or I should read more docs about this

p.s Ive seen a winxp machine changing its gateway (It wasn`t confed as a router)

mikrotk admins

So I tested it with winxp (as a host) and it works, the routes are changing;

64.4.12.200 255.255.255.255 172.16.0.1 172.16.0.20 1
64.4.12.201 255.255.255.255 172.16.0.1 172.16.0.20 1
64.158.223.144 255.255.255.255 172.16.0.1 172.16.0.20 1
65.54.140.158 255.255.255.255 172.16.0.1 172.16.0.20 1
65.54.179.192 255.255.255.255 172.16.0.1 172.16.0.20 1
65.54.239.80 255.255.255.255 172.16.0.1 172.16.0.20 1
65.54.239.84 255.255.255.255 172.16.0.1 172.16.0.20 1
66.218.75.230 255.255.255.255 172.16.0.1 172.16.0.20 1
68.142.213.132 255.255.255.255 172.16.0.1 172.16.0.20 1
80.75.64.55 255.255.255.255 172.16.0.1 172.16.0.20 1
80.168.100.101 255.255.255.255 172.16.0.1 172.16.0.20 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.255.0 172.16.0.20 172.16.0.20 2
172.16.0.20 255.255.255.255 127.0.0.1 127.0.0.1 2
172.16.255.255 255.255.255.255 172.16.0.20 172.16.0.20 2
94.109.152.234 255.255.255.255 172.16.0.1 172.16.0.20 1
94.109.152.238 255.255.255.255 172.16.0.1 172.16.0.20 1
94.130.106.132 255.255.255.255 172.16.0.1 172.16.0.20 1
195.22.198.71 255.255.255.255 172.16.0.1 172.16.0.20 1
195.22.198.96 255.255.255.255 172.16.0.1 172.16.0.20 1
05.188.244.138 255.255.255.255 172.16.0.1 172.16.0.20 1
207.46.2.69 255.255.255.255 172.16.0.1 172.16.0.20 1
207.46.6.178 255.255.255.255 172.16.0.1 172.16.0.20 1
207.46.6.191 255.255.255.255 172.16.0.1 172.16.0.20 1
212.158.8.164 255.255.255.255 172.16.0.1 172.16.0.20 1
213.200.97.134 255.255.255.255 172.16.0.1 172.16.0.20 1
213.200.97.199 255.255.255.255 172.16.0.1 172.16.0.20 1

A host should change it’s gateway but i don’t think a router should.
I don’t remember what the RFC’s say about this.

I also think that it should not change the gateway but it should change the gateway for a particular destination address for which it received the redirect message.I know that in cisco you can enable/disable this fetaure on per interface basis !

Anyway I`ll look at the RFCs and learn more.

rfc 1812 Requirements for IP Version 4 Routers says something like this ;

4.3.3.2 Redirect

The ICMP Redirect message is generated to inform a local host that it
should use a different next hop router for certain traffic.

Contrary to [INTRO:2], a router MAY ignore ICMP Redirects when
choosing a path for a packet originated by the router if the router
is running a routing protocol or if forwarding is enabled on the
router and on the interface over which the packet is being sent.

no Doubt…

I guess MT isn`t RFC compliant at some things:(, anyway otherwise rocks.