From owner-freebsd-net@FreeBSD.ORG Wed Mar 21 21:08:12 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1B76E16A478 for ; Wed, 21 Mar 2007 21:08:12 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.freebsd.org (Postfix) with ESMTP id 0369813C484 for ; Wed, 21 Mar 2007 21:08:09 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from [192.168.98.246] ([192.168.44.2]) by mail1.cil.se with Microsoft SMTPSVC(6.0.3790.1830); Wed, 21 Mar 2007 22:08:08 +0100 Message-ID: <46019EB6.6010209@ide.resurscentrum.se> Date: Wed, 21 Mar 2007 22:08:06 +0100 From: Jon Otterholm User-Agent: Thunderbird 1.5.0.9 (X11/20070131) MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <460060A8.1080109@ide.resurscentrum.se> <65531A6A-7178-48A1-97D0-9DCB4F72E315@mac.com> <4600689C.3080306@ide.resurscentrum.se> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 21 Mar 2007 21:08:08.0067 (UTC) FILETIME=[0657E530:01C76BFD] Subject: Re: ICMP-floods X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2007 21:08:12 -0000 Chuck Swiger wrote: > On Mar 20, 2007, at 4:05 PM, Jon Otterholm wrote: >>>> When setting net.inet.ip.redirect=0 on my routers, the icmp-redirects >>>> disappear, but instead I get a large amount of ICMP-time-exceed >>>> from my >>>> routers. >>> >>> The information you've provided strongly suggests either problems >>> with the netmasks being used, or a routing loop, or some combination >>> of both. >> I have checked netmasks and they are all on the same network. There >> should not be any routing involved in the communication between these >> hosts. > > OK. Care to show a "tcpdump -ntv icmp" illustrating the problem...? :-) Nope :-) I dug a little deeper into this. It seems like my problems are far more extensive than I first expected. I did not mention earlier that all if's are vlan-based sub-intefaces. It seems that if I move admin-if's on my routers to a different physical if than the one with the default route, all weird time-exeed/redir are gone and all traffic on my Nagios-machine are OK. It seems allmost as if my routers can not hold apart inbound traffic destined to different sub-if's on one physical if. Can this be it? I have checked my topology from all around now and I can not find any routing loops. For example: Router1 has it's default route connected to em0.10. With admin-net on em0.20 I get my icmp-floods. Moving admin-net to em1.20 makes the icmp-floods go away. A possible bug in if_vlan? //Jon