Bug #8294
closed
Icmp redirect doesn't use CARP IP
Added by Denis Grilli almost 7 years ago.
Updated over 5 years ago.
Category:
High Availability
Description
When you configure two pfsense servers in high availability using CARP, every icmps redirect generated use the physical interface ip address and not the correct CARP IP.
That lead to a problem because some operating system ( tested: windows 7 and windows 10 ) are rejecting the icmp because is not coming from the correct gateway ip.
Bug still present in 2.4.4
- Status changed from New to Not a Bug
That's expected behavior and not something we can easily rectify (past attempts have been unsuccessful) -- See #6957
Not sure it is the same thing.
I am not talking about some devices that check the src mac address, I am talking about pfsense sending the reply with the wrong IP.
If I send a packet to the CARP IP any device will expect the answer (or in this case the icmp redirect) from the same IP and those devices are legitimated for security reason to ignore and reject anything that come from a different one. To me, here the wrong behavior is from pfsense.
So how that can be an expected behavior? And again I am not sure we are talking about the same problem here.
ICMP is connectionless, the OS will reply from whichever address is "closest" to the target. The firewall cannot tell what IP address is being used as the client gateway, it only sees packets arrive using a MAC address for the firewall (including the CARP MAC).
If you'd like a way to alter that behavior, you'll have to take it up with FreeBSD directly.
Also available in: Atom
PDF
Updated by 
Updated by