My 5 cents to old problem regarding ICMP Redirects and Mikrotik devices.
Consider the scheme on the 1st picture. By default Mikrotik has 'Send ICMP redirects' enabled (and this is ok for routers).
I have an IPSec tunnel between two offices and a web camera (*nix device) on the remote side (office 2).
Mikrotik router does NOT have any complicated routing table, just one plain route to provider's default gateway.
WAN interface has a white static ip.
Some day after upgrading to ROS 6.48-9.x (don't remember exactly when it started) I noticed a VERY strange behaviour:
1. Only ONE ping packet can be sent to *nix device from workstation located at office 1.
2. After this packed passed I have to reboot camera to allow (again) only 1 packet pass.
3. *nix device still accessible from office 2 LAN (same subnet).
4. *nix device was entirely INaccessible from any other subnet.
Googling and wireshark'ing bring me to understanding what's going on:
after 1 successful ping mikrotik 'thinks' (WHY?) that there's a 'better' route for host (*nix device) and sends to it ICMP redirect packet with gateway field filled with (!!!) source (workstation) IP address!
Why do tunneled packet 'provoke' such behavior is a mystery for me.
Another mystery is why *nix device accepting such strange redirect.
To be honest, there is more than one type of *nix device in office 2, with different *nix flavors, and all behave in the same way, except a few IP cameras with latest firmware.
There're total of about 15 cameras of the same brand (Hikvision), 10 ones with older (2021) firmware are accepting redirects and 5 ones with latest firmware (2022) ignoring redirects.
All cameras use *nix flavors. Plus 2 recorders with ubuntu onboard (accepting redirects).
Windows hosts of different versions (windows 2003 srv, Windows 7, Windows 10) are all ignoring redirects.
Workarounds:
For ROS 6.49.7:
disabling ICMP redirects doesn't work for me even after reboot, so I have to do (this can also be done in ROS 7):
Code: Select all
/ip firewall raw
add action="drop" chain="output" comment="block ICMP redirect" icmp-options="5:0-255" out-interface="bridge.lan" protocol="icmp"
Disabling ICMP redirects works, but ONLY AFTER REBOOT!
If you can't disable ICMP redirects for some reasons, than you can try set on each *nix client (and REBOOT it)
Code: Select all
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0