Date: Fri, 27 Nov 2015 10:13:49 +0100 From: Daniel Bilik <ddb@neosystem.org> To: Gary Palmer <gpalmer@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: Outgoing packets being sent via wrong interface Message-ID: <20151127101349.752c94090e78ca68cf0f81fc@neosystem.org> In-Reply-To: <20151125122033.GB41119@in-addr.com> References: <20151120155511.5fb0f3b07228a0c829fa223f@neosystem.org> <C1D7F956-81C9-4ED4-99B8-E0C73A3ECB37@FreeBSD.org> <20151120163431.3449a473db9de23576d3a4b4@neosystem.org> <20151121212043.GC2307@vega.codepro.be> <20151122130240.165a50286cbaa9288ffc063b@neosystem.cz> <20151125092145.e93151af70085c2b3393f149@neosystem.cz> <20151125122033.GB41119@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 25 Nov 2015 12:20:33 +0000
Gary Palmer <gpalmer@freebsd.org> wrote:
> route -n get <unreachable IP>
As suggested by Kevin and Ryan, I set the router to drop redirects...
net.inet.icmp.drop_redirect: 1
... but it happened again today, and again affected host was 192.168.2.33.
Routing and arp entries were correct. Output of "route -n get"...
route to: 192.168.2.33
destination: 192.168.2.0
mask: 255.255.255.0
fib: 0
interface: re1
flags: <UP,DONE,PINNED>
recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 1500 1 0
... has not changed during the problem.
Interesting was ping result...
PING 192.168.2.33 (192.168.2.33): 56 data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
...
64 bytes from 192.168.2.33: icmp_seq=11 ttl=128 time=0.593 ms
ping: sendto: Operation not permitted
...
64 bytes from 192.168.2.33: icmp_seq=20 ttl=128 time=0.275 ms
64 bytes from 192.168.2.33: icmp_seq=21 ttl=128 time=0.251 ms
ping: sendto: Operation not permitted
...
64 bytes from 192.168.2.33: icmp_seq=40 ttl=128 time=0.245 ms
ping: sendto: Operation not permitted
64 bytes from 192.168.2.33: icmp_seq=42 ttl=128 time=7.111 ms
ping: sendto: Operation not permitted
...
--- 192.168.2.33 ping statistics ---
46 packets transmitted, 5 packets received, 89.1% packet loss
It seems _some_ packets go the right interface (re1), but most
try to go wrong (re0) and are dropped by pf...
00:00:01.066886 rule 53..16777216/0(match): block out on re0: 82.x.y.50 > 192.168.2.33: ICMP echo request, id 58628, seq 39, length 64
00:00:02.017874 rule 53..16777216/0(match): block out on re0: 82.x.y.50 > 192.168.2.33: ICMP echo request, id 58628, seq 41, length 64
00:00:02.069634 rule 53..16777216/0(match): block out on re0: 82.x.y.50 > 192.168.2.33: ICMP echo request, id 58628, seq 43, length 64
And again, refreshing default route (delete default / add default)
resolved it...
PING 192.168.2.33 (192.168.2.33): 56 data bytes
64 bytes from 192.168.2.33: icmp_seq=0 ttl=128 time=0.496 ms
64 bytes from 192.168.2.33: icmp_seq=1 ttl=128 time=0.226 ms
64 bytes from 192.168.2.33: icmp_seq=2 ttl=128 time=0.242 ms
64 bytes from 192.168.2.33: icmp_seq=3 ttl=128 time=0.226 ms
--
Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151127101349.752c94090e78ca68cf0f81fc>