Bug #8294
closed
Icmp redirect doesn't use CARP IP
0%
Description
When you configure two pfsense servers in high availability using CARP, every icmps redirect generated use the physical interface ip address and not the correct CARP IP.
That lead to a problem because some operating system ( tested: windows 7 and windows 10 ) are rejecting the icmp because is not coming from the correct gateway ip.
Updated by Jim Pingle over 4 years ago
- Status changed from New to Not a Bug
That's expected behavior and not something we can easily rectify (past attempts have been unsuccessful) -- See #6957
Updated by Denis Grilli over 4 years ago
Not sure it is the same thing.
I am not talking about some devices that check the src mac address, I am talking about pfsense sending the reply with the wrong IP.
If I send a packet to the CARP IP any device will expect the answer (or in this case the icmp redirect) from the same IP and those devices are legitimated for security reason to ignore and reject anything that come from a different one. To me, here the wrong behavior is from pfsense.
So how that can be an expected behavior? And again I am not sure we are talking about the same problem here.
Updated by Jim Pingle over 4 years ago
ICMP is connectionless, the OS will reply from whichever address is "closest" to the target. The firewall cannot tell what IP address is being used as the client gateway, it only sees packets arrive using a MAC address for the firewall (including the CARP MAC).
If you'd like a way to alter that behavior, you'll have to take it up with FreeBSD directly.