Community discussions

MikroTik App
 
dfdf
newbie
Topic Author
Posts: 36
Joined: Wed Dec 08, 2021 3:51 pm

ICMP Redirect + IPSec (ROS 6.49.7 and 7.8) - is it a bug or a feature?

Tue Mar 28, 2023 7:49 pm

Hello friends!

My 5 cents to old problem regarding ICMP Redirects and Mikrotik devices.
Consider the scheme on the 1st picture. By default Mikrotik has 'Send ICMP redirects' enabled (and this is ok for routers).

I have an IPSec tunnel between two offices and a web camera (*nix device) on the remote side (office 2).
Mikrotik router does NOT have any complicated routing table, just one plain route to provider's default gateway.
WAN interface has a white static ip.

Some day after upgrading to ROS 6.48-9.x (don't remember exactly when it started) I noticed a VERY strange behaviour:
1. Only ONE ping packet can be sent to *nix device from workstation located at office 1.
2. After this packed passed I have to reboot camera to allow (again) only 1 packet pass.
3. *nix device still accessible from office 2 LAN (same subnet).
4. *nix device was entirely INaccessible from any other subnet.

Googling and wireshark'ing bring me to understanding what's going on:
after 1 successful ping mikrotik 'thinks' (WHY?) that there's a 'better' route for host (*nix device) and sends to it ICMP redirect packet with gateway field filled with (!!!) source (workstation) IP address!
Why do tunneled packet 'provoke' such behavior is a mystery for me.

Another mystery is why *nix device accepting such strange redirect.
To be honest, there is more than one type of *nix device in office 2, with different *nix flavors, and all behave in the same way, except a few IP cameras with latest firmware.
There're total of about 15 cameras of the same brand (Hikvision), 10 ones with older (2021) firmware are accepting redirects and 5 ones with latest firmware (2022) ignoring redirects.
All cameras use *nix flavors. Plus 2 recorders with ubuntu onboard (accepting redirects).
Windows hosts of different versions (windows 2003 srv, Windows 7, Windows 10) are all ignoring redirects.

Workarounds:
For ROS 6.49.7:
disabling ICMP redirects doesn't work for me even after reboot, so I have to do (this can also be done in ROS 7):
/ip firewall raw
add action="drop" chain="output" comment="block ICMP redirect" icmp-options="5:0-255" out-interface="bridge.lan" protocol="icmp"
For ROS 7.8:
Disabling ICMP redirects works, but ONLY AFTER REBOOT!

If you can't disable ICMP redirects for some reasons, than you can try set on each *nix client (and REBOOT it)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
ICMPRedirectTrouble.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by dfdf on Tue Apr 04, 2023 12:34 pm, edited 2 times in total.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: ICMP Redirect + IPSec (ROS 6.49.7 and 7.8) - is it a bug or a feature?

Wed Mar 29, 2023 6:57 pm

Looks like you have some subnet mask issues. That 172.16.0.0/12 looks suspicious. Check all your routes and IP addresses.
 
dfdf
newbie
Topic Author
Posts: 36
Joined: Wed Dec 08, 2021 3:51 pm

Re: ICMP Redirect + IPSec (ROS 6.49.7 and 7.8) - is it a bug or a feature?

Sun Apr 02, 2023 8:25 pm

Looks like you have some subnet mask issues. That 172.16.0.0/12 looks suspicious. Check all your routes and IP addresses.

Nothing suspicious -- I want routing between multiple offices, each office has 172.16.0.0-172.31.0.0/24 subnet, dfl-870 is in central office and routes interoffices traffic, so I tunnel to DFL-870 all traffic for 172.16.0.0/12 EXCLUDING local subnet (172.20.201.0/24).
It works like expected, only icmp redirects have VERY strange behavior.

See https://en.wikipedia.org/wiki/Private_network.
Screenshot.jpg
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: BartoszP and 99 guests