[ILUG] ICMP redirect and routing question

Niall O Broin niall at linux.ie
Fri Apr 2 09:31:45 IST 2004 

I manaage an office with a slightly unusual network setup. There is a box with
a leased line connection (hereafter leased) which is configured in the classic
three zone setup. However, because we pay for transfer on the leased line, we
have augmented the system with a smoothwall box (herafter smooth) connected to
a leased line, and all the office machines now use smooth as default route.

However, the office boxes regularly need access to the boxes in the DMZ, which
they get via leased. There is a route on smooth to leased, but for some reason
boxes which have smooth as default route don't get to the DMZ - I have to set
up a static route on them to the DMZ via leased.

My understanding is that this should be handled by ICMP redirects - when
smooth receives a packet destined for the DMZ, it should see that its route to
there is via leased, which is on the same LAN, and should send an ICMP
redirect with that information back to the originating machine. 

As far as I know, I have all the magic bits in /proc set. On smooth I have 

/proc/sys/net/ipv4/conf/all/forwarding 
/proc/sys/net/ipv4/conf/all/send_redirects
/proc/sys/net/ipv4/ip_forward 

all set to 1 and on the Linux clients, I have

/proc/sys/net/ipv4/conf/all/accept_redirects

set to 1.

Trying to trace this has got me nowhere so far, except to see that it seems
that smooth is not returning ICMP redirects (nor is forwarding the packets) -
in the below, 192.168.1.10 is one of the clients, and somebox.somehost.com is
a box in the DMZ:

[root at smooth1 root]# tcpdump host 192.168.1.10
tcpdump: listening on eth0
10:14:07.744043 192.168.1.10 > somebox.somehost.com: icmp: echo request

This is the routing table on smooth

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
a.b.c.d         0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
w.x.y.z         192.168.1.100   255.255.255.248 UG        0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
1.1.1.0         0.0.0.0         255.255.255.0   U         0 0          0 eth1
0.0.0.0         a.b.c.d         0.0.0.0         UG        0 0          0 ppp0


where a.b.c.d is the address of the remote end of the DSL connection,
192.168.1.100 is the LAN address of leased, and w.x.y.z is the DMZ network.

I might add that there is a nice simple solution to all of this - remove the
route to w.x.y.z via 192.168.100. Howeever, that means that all internal
traffic to the DMZ goes out via the DSL and back in via the leased line - not
optimal for speed, and not exactly helping to reduce transfer on the leased
line.

Clearly, as the clients can't reach the DMZ without adding a static route,
I've missed something, or I am doing something wrong - but what?

Clients and servers have assorted kernels, but all fairly recent 2.4.xx series
- but I doubt that this is kernel version related.

This office is situated where alternative leased line arrangements are either
not possible, or more expensive, so don't bother suggesting that.

Oh - this is a rather long post - please only include relevant bits in
replies.


Niall

More information about the ILUG mailing list