From owner-freebsd-net@freebsd.org  Thu Sep 10 17:20:41 2020
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 156B23DEBD6
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Thu, 10 Sep 2020 17:20:41 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BnQdM6RFkz4M5d
 for <freebsd-net@freebsd.org>; Thu, 10 Sep 2020 17:20:39 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5])
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 08AHKNe5075064
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Thu, 10 Sep 2020 17:20:24 GMT (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: kisscoolandthegangbang@hotmail.fr
Received: from [10.58.0.10] (dadv@dadvw [10.58.0.10])
 by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 08AHKN0Y033333
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
 Fri, 11 Sep 2020 00:20:23 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: IP "routing" issue
To: Abelenda Diego <diego.abelenda@gmail.com>,
 kaycee gb <kisscoolandthegangbang@hotmail.fr>
References: <20200909164254.5e7e3891@debian>
 <VE1PR03MB5629FC5FAB3212A0987F7F4CA0260@VE1PR03MB5629.eurprd03.prod.outlook.com>
 <20200910185400.593a8ce2@debian>
Cc: freebsd-net@freebsd.org
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <a1b38a3f-0948-50e6-04fd-7d8207d16917@grosbein.net>
Date: Fri, 11 Sep 2020 00:20:20 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20200910185400.593a8ce2@debian>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,LOCAL_FROM,
 NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no
 version=3.4.2
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  2.6 LOCAL_FROM From my domains
 * -3.6 NICE_REPLY_A Looks like a legit reply (A)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Rspamd-Queue-Id: 4BnQdM6RFkz4M5d
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism
 not recognized by this client) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [-2.08 / 15.00]; MID_RHS_MATCH_FROM(0.00)[];
 ARC_NA(0.00)[]; FREEFALL_USER(0.00)[eugen];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-0.88)[-0.880];
 TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[grosbein.net]; RCVD_COUNT_THREE(0.00)[3];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 R_SPF_PERMFAIL(0.00)[empty SPF record];
 NEURAL_HAM_SHORT(-0.19)[-0.193];
 NEURAL_HAM_MEDIUM(-0.91)[-0.907];
 FREEMAIL_TO(0.00)[gmail.com,hotmail.fr];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE];
 RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 17:20:41 -0000

10.09.2020 23:54, Abelenda Diego wrote:

> Thank you for pointing route "-iface" however I can't seem to manage what I
> want.
> 
> When I use:
> "route add -host $IP_NOT_IN_SUBNET -iface bce0"
> 
> I get "netstat -rn" to say someting like:
> 
> Internet:
> Destination        Gateway               Flags     Netif Expire
> default            $UPSTREAM_GW          UGS        bce0
> 10.0.0.1           link#7                UHS         lo0
> $IP_NO_IN_SUBNET   $MAC_ADDRESS_OF_BCE0  UHS        bce0
> 
> 
> Which seem somehow appropriate, so I try to ping $IP_NOT_IN_SUBNET and I get:
> 
> root@opnsense2:~ # ping $IP_NOT_IN_SUBNET
> PING $IP_NOT_IN_SUBNET ($IP_NOT_IN_SUBNET): 56 data bytes
> 36 bytes from $UPSTREAM_GW: Redirect Host(New addr: $PUBLIC_IP_OF_BCE0).
> 
> Which doesn't seem appropriate at all wrt the routing table...

Such route means that an attempt to send any packet to the IP in question
results in broadcast ARP query for destination IP sent out of bce0.

It seems your upstream has arp proxy enabled, so it sends ARP reply with its MAC address
making your host send IP packet to $UPSTREAM_GW, but its routing table points back
to your $PUBLIC_IP_OF_BCE0, hence redirection is generated.

You should not use "-iface bce0" but right interface name pointing to host having target IP address.
And if your own host has it, you do not need to add any route at all,
but assign additional IP as alias to bce0.