https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-02-21T11:25:05ZpfSense bugtrackerpfSense - Bug #11494: Wireguard interface sends ICMP Redirect when routing between two peershttps://redmine.pfsense.org/issues/11494?journal_id=513882021-02-21T11:25:05ZBlaine Palmer
<ul></ul><p>Just for reference, it appears a similar issue was observed early in WireGuard's original development.</p>
<p><a class="external" href="https://git.zx2c4.com/wireguard-monolithic-historical/commit/?id=1e96d7f29551309f1ab5480e39dcc6124ea89aa0">https://git.zx2c4.com/wireguard-monolithic-historical/commit/?id=1e96d7f29551309f1ab5480e39dcc6124ea89aa0</a></p>
<p>Similarly, it appears this similar code made it into the Linux Kernel implementation as well</p>
<p><a class="external" href="https://git.zx2c4.com/wireguard-linux/tree/drivers/net/wireguard/device.c">https://git.zx2c4.com/wireguard-linux/tree/drivers/net/wireguard/device.c</a><br /><a class="external" href="https://github.com/torvalds/linux/blob/master/drivers/net/wireguard/device.c">https://github.com/torvalds/linux/blob/master/drivers/net/wireguard/device.c</a></p>
<pre><code>if (dev_v4) {<br /> /* At some point we might put this check near the ip_rt_send_
* redirect call of ip_forward in net/ipv4/ip_forward.c, similar
* to the current secpath check.<br /> */<br /> IN_DEV_CONF_SET(dev_v4, SEND_REDIRECTS, false);<br /> IPV4_DEVCONF_ALL(dev_net(dev), SEND_REDIRECTS) = false;<br /> }</code></pre> pfSense - Bug #11494: Wireguard interface sends ICMP Redirect when routing between two peershttps://redmine.pfsense.org/issues/11494?journal_id=513892021-02-21T12:22:25ZBlaine Palmer
<ul></ul><p>It would appear this may need to be corrected in the FreeBSD upstream.</p>
<p>Possibly relevant:<br /><a class="external" href="https://github.com/freebsd/freebsd-src/blob/main/sys/netinet/ip_input.c">https://github.com/freebsd/freebsd-src/blob/main/sys/netinet/ip_input.c</a><br />Line <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: axfrdns not working in dns-server package (Resolved)" href="https://redmine.pfsense.org/issues/119">#119</a> (sysctl check)<br />Line <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: link doesn't work "add a new one." (Resolved)" href="https://redmine.pfsense.org/issues/1040">#1040</a> (conditional logic)</p>
<p><a class="external" href="https://github.com/freebsd/freebsd-src/blob/main/sys/netinet/ip_var.h">https://github.com/freebsd/freebsd-src/blob/main/sys/netinet/ip_var.h</a><br />Line 185 VNET_DECLARE(int, ipsendredirects);<br />Line 201 #define V_ipsendredirects <abbr title="ipsendredirects">VNET</abbr></p>
<p>I tried to poke around and look for other interfaces that were selectively disabling forward/redirect or other sysctl, but am not familiar enough with the code.<br />Thank you!</p> pfSense - Bug #11494: Wireguard interface sends ICMP Redirect when routing between two peershttps://redmine.pfsense.org/issues/11494?journal_id=513902021-02-21T12:29:01ZBlaine Palmer
<ul></ul><p>One last interesting tidbit, similar assumptions causing issues with p2p interfaces in ipv6 which caused issues for WG pre-kernel implementation.</p>
<p><a class="external" href="https://github.com/freebsd/freebsd-src/commit/1e9b8db9b254b98ae065889f8c33b0dcc18138a1">https://github.com/freebsd/freebsd-src/commit/1e9b8db9b254b98ae065889f8c33b0dcc18138a1</a></p> pfSense - Bug #11494: Wireguard interface sends ICMP Redirect when routing between two peershttps://redmine.pfsense.org/issues/11494?journal_id=514342021-02-22T10:21:43ZJim Pingle
<ul><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Low</i></li><li><strong>Target version</strong> changed from <i>2.5.1</i> to <i>CE-Next</i></li></ul><p>This is likely a (mostly?) harmless side effect of how the routes in the routing table are added for WireGuard. Because they are added to the interface directly and not to a remote peer (due to how WireGuard operates), redirects are triggered.</p>
<p>This isn't limited to WireGuard. There is an old IPsec workaround to nudge firewall traffic into a policy-based IPsec tunnel which involves added a route using the firewall itself as a gateway. When using that kind of route, hosts on LAN also get the redirects.</p>
<p>If you know you have no need for ICMP redirects on any interface, you can also disable them completely by setting system tunables for:</p>
<pre>
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0
</pre> pfSense - Bug #11494: Wireguard interface sends ICMP Redirect when routing between two peershttps://redmine.pfsense.org/issues/11494?journal_id=514402021-02-22T11:28:08ZBlaine Palmer
<ul></ul><p>I've disabled redirect via the sysctl/tunable as suggested already.</p>
<p>Just to clarify this is for every incoming packet that is forwarded by FreeBSD/pfSense from one peer on a WireGuard interface to another peer on the same WireGuard interface.</p>
<p>I think the concern would be the overhead this would add unnecessarily. If I understand the FreeBSD ip_forward function properly, it will be sending a redirect for every non-fragmented packet forwarded.</p>
<p>I will test this and get back to you shortly with some packet statistics to confirm if this assertion is correct.</p> pfSense - Bug #11494: Wireguard interface sends ICMP Redirect when routing between two peershttps://redmine.pfsense.org/issues/11494?journal_id=514412021-02-22T11:37:30ZJim Pingle
<ul></ul><p>Another workaround is to do one peer per tunnel and a dynamic routing protocol like BGP, or routes using the remote peer tunnel address as the gateway (fill in the Peer WireGuard Address appropriately, leave Allowed IPs blank, add your own manual static routes)</p>
<p>If it's the routes targeting the interface itself to blame, that should take it out of the equation.</p> pfSense - Bug #11494: Wireguard interface sends ICMP Redirect when routing between two peershttps://redmine.pfsense.org/issues/11494?journal_id=514502021-02-22T13:20:56ZBlaine Palmer
<ul></ul><p>I was able to confirm that there does not appear to be any rate limiting, the overhead isn't terrible though as the ICMP packets are so small. Getting statistics was a little more difficult on this new MacBook however and your proposed solution is the best I believe. This simplifies firewall rules and routing semantics.</p>
<p>Thank you</p> pfSense - Bug #11494: Wireguard interface sends ICMP Redirect when routing between two peershttps://redmine.pfsense.org/issues/11494?journal_id=525802021-03-19T10:59:35ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>CE-Next</i> to <i>Future</i></li></ul> pfSense - Bug #11494: Wireguard interface sends ICMP Redirect when routing between two peershttps://redmine.pfsense.org/issues/11494?journal_id=580902021-12-29T13:43:45ZChristian McDonaldcmcdonald@netgate.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Rejected</i></li><li><strong>Target version</strong> deleted (<del><i>Future</i></del>)</li><li><strong>Release Notes</strong> changed from <i>Default</i> to <i>Force Exclusion</i></li></ul><p>Unable to replicate.</p>
<p>We can revisit if someone can demonstrate that this issue is still valid.</p> pfSense - Bug #11494: Wireguard interface sends ICMP Redirect when routing between two peershttps://redmine.pfsense.org/issues/11494?journal_id=609852022-05-09T19:36:05Z→ luckman212luke.hamburg@gmail.com
<ul></ul><p><a class="user active" href="https://redmine.pfsense.org/users/2757">Christian McDonald</a> Just for the record, I'm hitting this exact issue right now on current 22.05 snaps, with WG 0.1.6_1 package and 2 configured remote peers connected. It was easy to reproduce. Found a fairly recent <a href="https://forum.netgate.com/topic/168943/pfsense-selfhosted-acting-as-wireguard-vpn-server" class="external">forum thread</a> with the same issue too.</p>
<p>Is the <code>net.inet.ip.redirect=0</code> tunable still the best workaround we have here?</p> pfSense - Bug #11494: Wireguard interface sends ICMP Redirect when routing between two peershttps://redmine.pfsense.org/issues/11494?journal_id=666722023-04-10T13:05:41ZAndrei Caba
<ul></ul><p>Christian McDonald wrote in <a href="#note-9">#note-9</a>:</p>
<blockquote>
<p>Unable to replicate.</p>
<p>We can revisit if someone can demonstrate that this issue is still valid.</p>
</blockquote>
<p>This issue is still valid. We just installed Wireguard on pfsense 2 days ago and we have the same behaviour.<br />The "workaround" "net.inet.ip.redirect=0" is not really acceptable, as we want to use this tunable enabled (for other purposes).<br />Can this be fixed in some other way?...</p>
<p>PS - to make it easier for anyone else to replicate:<br />we used this tutorial:<br /><a class="external" href="https://www.wundertech.net/how-to-set-up-wireguard-on-pfsense/">https://www.wundertech.net/how-to-set-up-wireguard-on-pfsense/</a><br />We have pfSense Community Edition (virtual machine, not physical).</p>