Icmp redirects not being generated

Hi -

My openwrt device doesn't seem to generate ICMP redirects in cases where a router for another network exists on the same - directly attached - subnet (the lan subnet) from which the packet originates.

I would prefer in this case not to try and push out the route via DHCP (because I can't guarantee that every device will pick it up) or via implementing dynamic routing on the hosts (similar reason).

I have taken a look at the /proc/sys/net/conf/*/send_redirects and everything seems good - similarly there appears to be nothing in terms of firewall rules that should prevent it being sent out. So it seems all the criteria for ICMP redirects being sent are being met:

  1. The outgoing and incoming interface of the packet must be the same.
  2. The IP source address in the packet is on the same logical IP network as the next-hop IP address.
  3. The route used for the outgoing packet must not be an ICMP redirect or a default route.
  4. The packet does not contain an IP source route option.
  5. The gateway must be configured to send redirects.

And, I'd probably add, "has a good reason to send a redirect". If your OpenWrt device has a valid route for the packet that isn't via the same interface on which the packet was received, without some other kind of configuration how would it know that "Router 2" is "preferred" for that packet and to send a redirect?

Looking at, for example, https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html, the router receiving the packet (R1) has the other router on the same interface/subnet (R2) as the route for the packet. At least from your description, I'm not sure that your situation is equivalent.

For example, the two routers R1 and R2 are connected to the same Ethernet segment as Host H. The default gateway for Host H is configured to use router R1. Host H sends a packet to router R1 to reach the destination on Remote Branch office Host 10.1.1.1. Router R1, after it consults its routing table, finds that the next-hop to reach Host 10.1.1.1 is router R2. Now router R1 must forward the packet out the same Ethernet interface on which it was received. Router R1 forwards the packet to router R2 and also sends an ICMP redirect message to Host H. This informs the host that the best route to reach Host 10.1.1.1 is by way of router R2. Host H then forwards all the subsequent packets destined for Host 10.1.1.1 to router R2.

My situation is equivalent, the network topology is the same [except in my scenario the remote branch hosts are all wireless hosts sitting off the router analogous to R2]

  • Why not just add a static route on the router and enable forwarding in that Firewall Zone?
  • Why would the routes be "dynamic"?

Did you give 2 VLANs the same network address?

  • Are you sure?
  • Have you verified this with a network scanner?
  • How do you get the clients to actually use that ICMP Redirect?

A very common mistake when people attempt to use redirects...is that the IP being redirected is on the same subnet, and also the destination newtork of the redirect. This implies it's also the SRC.

I did enter a static route on the router (R1 in that diagram from the cisco site), however, that means the traffic between the from the host to IPs sitting behind R2 are being hairpinned through R1 (in and out via the same interface). For whatever reason R1 isn't sending out ICMP redirects, so the hosts never learn how to reach things behind R2 directly via R2

It's two separate subnets rather than 2 VLANS, a main subnet which is connected to one openwrt device and hence to the internet, and then a secondary subnet with a second openwrt device routing between the two.

I'm verifying this with tcpdump running on the openwrt device. No ICMP redirects are being sent out. I'm setting up the clients to use the ICMP redirect by turning on allow_redirects and secure_redirects as well as ensuring the local firewalls on those clients allow ICMP packets with type 5 through.

1 Like

Can you provide the results of:

cat /proc/sys/net/ipv4/conf/all/accept_redirects

and

cat /proc/sys/net/ipv4/conf/all/send_redirects

Or just breifly explain how you enabled it...in /etc/sysctl.conf?

Given point 3, do you still have a static route?

On the hosts the first is set to 1 (as is secure_redirects) for the conf file for the specified interface (the value of that is ORed together with the value on the 'all' conf file).

On the router send_redirects is set to 1 in all conf files.

There's a static route on R1 for the network behind R2 with R2 as the gateway. I don't think there's a contradiction there - the default route on R1 is the WAN link (my ISP).

Just making sure that you kept the static route, as it's necessary for a redirect.

I just want to be clear, you added:
net.ipv4.conf.all.send_redirects=1

to:
/etc/sysctl.conf

and rebooted...correct?

The openwrt router comes up after booting with /proc/sys/net/ipv4/conf/*/send_redirects set to 1 where * is every interface. /proc/sys/net/ipv4/conf/all/send_redirects is set to 0 but sending redirects will occur as long as one of net.ipv4.conf.all.send_redirects or net.ipv4.conf. interface .send_redirects is enabled.

1 Like

OK...what version of OpenWrt are you running, perhaps it's a bug?

I've done the following:

  • Created an arbitrary route : ip route add 192.168.aaa.aaa/32 dev br-lan via 192.168.1.x src 192.168.1.1
  • Set forwarding on Firewall Zone LAN to ACCEPT
  • From client 192.168.1.z, I ran sudo tcpdump icmp
  • I pinged 192.168.aaa.aaa

19:30:32.337599 IP 192.168.1.1 > 192.168.1.z: ICMP redirect 192.168.aaa.aaa to host 192.168.1.x, length 92

It works on 18.06.1.

I'm running 18.06.1. Ran those steps. I don't see an ICMP redirect at either end (running tcpdump icmp on both the client and the router), so I presume its not being generated at the router.