



Bug #8294


Icmp redirect doesn't use CARP IP

Added by Denis Grilli over 6 years ago. Updated almost 5 years ago.

Not a Bug
High Availability
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


When you configure two pfsense servers in high availability using CARP, every icmps redirect generated use the physical interface ip address and not the correct CARP IP.

That lead to a problem because some operating system ( tested: windows 7 and windows 10 ) are rejecting the icmp because is not coming from the correct gateway ip.

Actions #1

Updated by Denis Grilli over 5 years ago

Bug still present in 2.4.4

Actions #2

Updated by Jim Pingle almost 5 years ago

  • Status changed from New to Not a Bug

That's expected behavior and not something we can easily rectify (past attempts have been unsuccessful) -- See #6957

Actions #3

Updated by Denis Grilli almost 5 years ago

Not sure it is the same thing.
I am not talking about some devices that check the src mac address, I am talking about pfsense sending the reply with the wrong IP.
If I send a packet to the CARP IP any device will expect the answer (or in this case the icmp redirect) from the same IP and those devices are legitimated for security reason to ignore and reject anything that come from a different one. To me, here the wrong behavior is from pfsense.

So how that can be an expected behavior? And again I am not sure we are talking about the same problem here.

Actions #4

Updated by Jim Pingle almost 5 years ago

ICMP is connectionless, the OS will reply from whichever address is "closest" to the target. The firewall cannot tell what IP address is being used as the client gateway, it only sees packets arrive using a MAC address for the firewall (including the CARP MAC).

If you'd like a way to alter that behavior, you'll have to take it up with FreeBSD directly.


Also available in: Atom PDF