Community discussions

MikroTik App
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Topic Author
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Possible ICMP redirect bug / change in behavior?

Thu Sep 20, 2018 6:55 pm

We've been upgrading some 2011 routers from pre-6.41 versions to the latest 6.43 and 6.43.1 and 6.43.2, and have noticed a change in the behavior with ICMP redirects.

We've got a multi-IP-range segment on an interface with two ranges, e.g. 192.168.0.1/22 and 10.10.10.65/28
Starting with apparently version 6.43.0, we've been seeing ICMP redirects whenever devices in these two subnets wish to communicate with each other. Previously, there was no ICMP redirect being sent by the Mikrotik router. This has caused the devices to fail in communicating with each other. The current workaround for us is to disable ICMP redirects, but we'd like to know:

Is anyone else having this issue?
Is this a bug or a feature?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Topic Author
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Possible ICMP redirect bug / change in behavior?

Thu Sep 20, 2018 7:54 pm

update - apparently, disabling ICMP redirects does NOT stop the Mikrotik from sending redirects. Does the system require a reboot for this change to take effect?

So using the previous example IP addressing, whenever host 10.10.10.66 sends a packet to host 192.168.0.33, the Mikrotik router sends an ICMP redirect (confirmed with tcpdump on the device 10.10.10.66) instructing the device that the target IP address is local, so the device then tries to ARP for 192.168.0.33 from 10.10.10.66 - which fails, of course.

The devices are in the same broadcast domain.

We've only recently run into this issue, but I just had it reported to me by one of my techs at a site with a CCR1009 running 6.37.1 - so this issue may not be version related. However, I find it odd that this hasn't affected us earlier, with hundreds of these type of installations.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Possible ICMP redirect bug / change in behavior?

Thu Sep 20, 2018 9:05 pm

You disabled "send redirects" in IP->Settings and it is still sending redirects? That sounds like a bug to me. I would expect the change to take effect immediately.

If you disabled "accept redirects" in IP->Settings it will probably still send redirects.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Topic Author
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Possible ICMP redirect bug / change in behavior?

Thu Sep 20, 2018 9:20 pm

Yup - that's what I disabled. Still getting them.

I'm suspecting that our recent problem is a combination of things, because we've never had to disable this to fix stuff until very recently. The 10.10.10.x host is a Ubiquiti cloud key, and they definitely go through their strange behaviors with different revs - the cloud key was recently updated to the latest firmware and that's when this started happening at several of our properties. I'm betting that the previous cloudkey was simply ignoring the redirects when they didn't refer to an address that it considered local.

My most recent workaround was to just block ICMP redirects in the output chain of the firewall filter.
 
User avatar
Shefartech
newbie
Posts: 29
Joined: Sat Oct 20, 2018 9:21 am

Re: Possible ICMP redirect bug / change in behavior?

Fri Aug 16, 2019 4:54 pm

My apologies for using this as a round-about way of sending you a message.
Your solution for connecting two Mikrotik router worked like a dream, exactly what I was seeking. A God sent solution!
I have some 10 wireless AP's connected to Router 2 via a POE switch and they have internet access via Router 1.
I created a NAT rule on Router 1 and am able to access Router 2 via the internet. I would like to access the wireless AP's also from the internet outside the network.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Possible ICMP redirect bug / change in behavior?

Tue Mar 23, 2021 12:13 am

Yup - that's what I disabled. Still getting them.
If i check what Cisco does, the redirect would not be sent, even with redirect enabled.

https://www.cisco.com/c/en/us/support/d ... 14-43.html

When Are ICMP Redirects Sent?
Cisco routers send ICMP redirects when all of these conditions are met:

The interface on which the packet comes into the router is the same interface on which the packet gets routed out.

The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet.

The datagram is not source-routed.

The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects. The interface subcommand no ip redirects can be used to disable ICMP redirects.)

Note: ICMP redirects are disabled by default if Hot Standby Router Protocol (HSRP) is configured on the interface. In Cisco IOS Software Release 12.1(3)T and later, ICMP Redirect is allowed to be enabled on interfaces configured with HSRP. For more information, refer to HSRP Support for ICMP Redirects section of Hot Standby Router Protocol Features and Functionality.

For example, if a router has two IP addresses on one of its interfaces:

interface ethernet 0

ip address 171.68.179.1 255.255.255.0

ip address 171.68.254.1 255.255.255.0 secondary
If the router receives a packet that is sourced from a host in the subnet 171.68.179.0 and destined to a host in the subnet 171.68.254.0, the router does not send an ICMP redirect because only the first condition is met, not the second.

The original packet for which the router sends a redirect still gets routed to the correct destination.
 
whiskerroutes
just joined
Posts: 2
Joined: Tue Jun 27, 2023 5:27 am

Re: Possible ICMP redirect bug / change in behavior?

Tue Jun 27, 2023 5:45 am

I also ran into this on a RB5009UPr+S+ running 7.10. Adding a firewall rule to the output chain dropping icmp redirects as mentioned above does work around the issue for me. (The rule stats also make it clear that changing IP > Settings > Send Redirects doesn't make a difference.)
 
blacksnow
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Wed Feb 15, 2023 4:46 pm

Re: Possible ICMP redirect bug / change in behavior?

Tue Jun 27, 2023 9:55 am

I think this must be the same situation I am seeing with wireguard and it makes sense that it isn't limited to wireguard but rather anything that requires an ICMP response. Also can confirm that disabling the "send redirects" does nothing in my case.

viewtopic.php?p=1009579#p1009579

Who is online

Users browsing this forum: baragoon, xrlls and 95 guests