Community discussions

MikroTik App
 
dpalumbo
just joined
Topic Author
Posts: 1
Joined: Tue Nov 15, 2022 1:33 pm

ICMP redirect of ICMP works, of TCP does not (always)

Tue Nov 15, 2022 2:35 pm

Hi,

I have the following environment in different "places":
Internet <- Mikrotik+OSPF <- LAN <- linux router+OSPF (in LAN) <- VPN (OpenVPN, tap + OSPF)

The servers in the LAN does have the Mikrotik as default gateway.

As a sample,
VPN host: 172.17.16.1
Mikrotik 172.16.8.240
Linux router (sato) 172.16.8.7
Linux generic box (sarin) 172.16.8.14

When i try to connect from a host in the VPN, i'm not able to reach the Linux generic box (sarin, 172.16.8.14).
But if i *ping* the Linux generic box, this is working.
Just after the ping, in the linux routing table (cache) the proper record pop in.
# ip route show cache
172.17.16.1 via 172.16.8.7 dev eth0
cache <redirected> expires 298sec

I was testing 6.47.8 and 6.49.7 version of Mikrotik.
I've not seen any changelog line related to ICMP redirect, or redirect which are not for http(s) and similar protocol.

I've made a tcpdump and the following can be observed:
- when i make tcp a connection *without* having the routing cache, i see a 108 bytes ICMP redirect from Mikrotik to the Linux generic box
- still the Linux generic box ignore it (the cache is not populated)
- when i make a udp connection *without* having the routing cache, i see a 132 bytes ICMP redirect from Mikrotik to the Linux generic box
- the Linux generic box immediately populate the entry in the routing cache
- when i make a udp connection *with* the routing cache (eg, because i pinged the host) the connection works (clearly, the local routing table override the generic as intended)

I've not asked the Linux kernel/networking team, but with pfsense this setup is working (at least by memory) without any issue.
Unfortunately, i don't have anymore the pfsense setup to be tested.
Also, i wish to come back with more meaningful information to them, eventually.

Seems to me that the problem can be related to the *kind*/*content* of ICMP redirect.
As mentioned, the 108 bytes sent for a TCP redirect are ignored, the 132 bytes ICMP redirect are accepted.

I'm attaching the tcpdump output.

Any help is welcome.

Thanks,
Daniel (he/him)
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 85 guests