Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Apr 2009 10:49:05 +0200
From:      Sebastiaan van Erk <sebster@sebster.com>
To:        Max Laier <max@love2party.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: "BAD ICMP" message
Message-ID:  <49F81481.3020609@sebster.com>
In-Reply-To: <49F07D1A.9010302@sebster.com>
References:  <49EFF732.3010402@sebster.com>	<200904231559.13059.max@love2party.net> <49F07D1A.9010302@sebster.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
Sebastiaan van Erk wrote:
> Hi,
> 
> Thanks for the reply.
> 
> Max Laier wrote:
>> On Thursday 23 April 2009 07:05:54 Sebastiaan van Erk wrote:
>>> Apr 23 06:58:38 vpn3 kernel: pf: loose state match: TCP
>>> 10.0.80.150:51422 10.0.80.150:51422 10.0.80.4:22 [lo=3150927679
>>> high=3150923785 win=692 modulator=0] [lo=0 high=692 win=1 modulator=0]
>>> 2:0 A seq=3150927679 (3150927679) ack=0 len=0 ackskew=0 pkts=77:0
>>> Apr 23 06:58:38 vpn3 kernel: pf: BAD ICMP 5:1 10.0.80.77 -> 10.0.80.150
>>                                             ^
>>
>> These are ICMP redirect messages.  This clearly suggests that 
>> something is very wrong with your routing.  I assume your netmasks are 
>> wrong.  It looks like 10.0.80.77 thinks that 10.0.80.150 can reach 
>> 10.0.80.4 directly which is not the case - it needs to route through 
>> 10.0.80.77.

Actually, I finally figured out what was wrong. I accidentally told 
OpenVPN to "push 10.0.80.0/24 10.0.80.77", in other words, the client 
machine 10.0.80.150 tried to route though 10.0.80.77 even though it can 
reach it directly (since it's a bridged network). After removing the 
offending line, everything works. Something was definitely wrong with 
the routing though. :-)

Regards,
Sebastiaan


 > Here's a list of the entire setup:
 >
 > em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
 > mtu 1500
 >         options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
 >         ether 00:0c:29:61:2a:4b
 >         inet 111.111.111.111 netmask 0xfffffff0 broadcast 212.61.136.79
 >         media: Ethernet autoselect (1000baseTX <full-duplex>)
 >         status: active
 > em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
 > mtu 1500
 >         options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
 >         ether 00:0c:29:61:2a:55
 >         inet 10.0.80.77 netmask 0xffffff00 broadcast 10.0.80.255
 >         media: Ethernet autoselect (1000baseTX <full-duplex>)
 >         status: active
 > em2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
 > mtu 1500
 >         options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
 >         ether 00:0c:29:61:2a:5f
 >         inet 10.0.81.77 netmask 0xffffff00 broadcast 10.0.81.255
 >         media: Ethernet autoselect (1000baseTX <full-duplex>)
 >         status: active
 > em3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
 > mtu 1500
 >         options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
 >         ether 00:0c:29:61:2a:69
 >         inet 10.0.82.77 netmask 0xffffff00 broadcast 10.0.82.255
 >         media: Ethernet autoselect (1000baseTX <full-duplex>)
 >         status: active
 > plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0
 > mtu 1500
 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
 >         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
 >         inet6 ::1 prefixlen 128
 >         inet 127.0.0.1 netmask 0xff000000
 > pfsync0: flags=0<> metric 0 mtu 1460
 >         syncpeer: 224.0.0.240 maxupd: 128
 > bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
 > 1500
 >         ether f2:f4:c1:45:e7:50
 >         id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
 >         maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
 >         root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
 >         member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
 >                 ifmaxaddr 0 port 9 priority 128 path cost 2000000
 >         member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
 >                 ifmaxaddr 0 port 2 priority 128 path cost 20000
 > tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric
 > 0 mtu 1500
 >         ether 00:bd:96:02:00:00
 >         Opened by PID 1310
 > carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
 >         inet 111.111.111.112 netmask 0xfffffff0
 >         carp: MASTER vhid 1 advbase 1 advskew 0
 > carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
 >         inet 10.0.80.74 netmask 0xffffff00
 >         carp: MASTER vhid 2 advbase 1 advskew 0
 > carp2: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
 >         inet 10.0.81.74 netmask 0xffffff00
 >         carp: MASTER vhid 3 advbase 1 advskew 0
 > carp3: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
 >         inet 10.0.82.74 netmask 0xffffff00
 >         carp: MASTER vhid 4 advbase 1 advskew 0
 > pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
 >
 > em0 is the external interface, em1 is the vpn interface, and em2 and em3
 > have production machines on them...
 >
 > The tap0 is the interface used by openvpn. It is bridged in bridge0 to
 > the internal em1 network. Since it is bridged, my feeling says that the
 > two VPN clients (10.0.80.4 and 10.0.80.150) should be able to talk
 > directly to eachother. I have no idea why my linux box (10.0.80.150)
 > thinks it can't directly talk to the other vpn client and talks via the
 > gateway instead. I get a lot of these ICMP redirects on tap0:
 >
 > # tcpdump -ni tap0 icmp
 > tcpdump: WARNING: tap0: no IPv4 address assigned
 > tcpdump: verbose output suppressed, use -v or -vv for full protocol 
decode
 > listening on tap0, link-type EN10MB (Ethernet), capture size 96 bytes
 > 16:32:51.719979 IP 10.0.80.77 > 10.0.80.150: ICMP redirect 10.0.80.4 to
 > host 10.0.80.4, length 60
 >
 > I'm sure I'm doing something wrong somewhere, but I can't quite figure
 > it out.
 >
 > Regards,
 > Sebastiaan
 >


[-- Attachment #2 --]
0	*H
010	+0	*H
	Q00lS|
6$1-~j0
	*H
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080630135157Z
090630135157Z0h10Uvan Erk10U*
Sebastiaan10USebastiaan van Erk1"0 	*H
	sebster@sebster.com0"0
	*H
0
Va\bEnݚa<M8ʄ^tv>x73bohi2oqS_¶Bm^p*I	x"9pt!jar#)n)^?'z<).+Ѐ4igR'UP*\Ւ,?.;?fBܯTzM IDվCK*3Yŧ
mcaztxʐsq/00.0U0sebster@sebster.com0U00
	*H
KT4W6ӽq]
tS` %f1G:HbzJj$EjE'JV~-VbVnJZE/`@@04!+T:c	پf`$Z=1#|oG[OBRG00lS|
6$1-~j0
	*H
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080630135157Z
090630135157Z0h10Uvan Erk10U*
Sebastiaan10USebastiaan van Erk1"0 	*H
	sebster@sebster.com0"0
	*H
0
Va\bEnݚa<M8ʄ^tv>x73bohi2oqS_¶Bm^p*I	x"9pt!jar#)n)^?'z<).+Ѐ4igR'UP*\Ւ,?.;?fBܯTzM IDվCK*3Yŧ
mcaztxʐsq/00.0U0sebster@sebster.com0U00
	*H
KT4W6ӽq]
tS` %f1G:HbzJj$EjE'JV~-VbVnJZE/`@@04!+T:c	پf`$Z=1#|oG[OBRG0?0
0
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA00
	*H
0Ħ<UsUNʙZhup[v:aQP
0cZ,p+Z?qV˯<6$*+w=+>@dקe*TH<a@dr`00U00CU<0:08642http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 010UPrivateLabel2-1380
	*H
HP.
fgCL!6-6/P p<ab:~t%Pb'qW%ݩ9 Oe_N4[5MwV!x!5$F]_eO1q0m0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
6$1-~j0	+0	*H
	1	*H
0	*H
	1
090429084905Z0#	*H
	1_,gUCv?r#O0_	*H
	1R0P0	`He0
*H
0*H
0
*H
@0+0
*H
(0	+71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
6$1-~j0*H
	1xv0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
6$1-~j0
	*H
P\e
1f&캣O'5^f\.yT⟭M
@7P?$|N
9O"'cae$!?~\]Gp?/lI}eW!)Zk;M(d5ruhR
ת4^<Ѥ;	e\Ӎ4(x@+-2W4e^	wpSF]S`(zJ1~Z_[t9M ͔4

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49F81481.3020609>