Project

General

Profile

Actions

Bug #9235

closed

pfsense does not send ICMP redirect

Added by Daniele Palumbo almost 6 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Operating System
Target version:
-
Start date:
12/28/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:

Description

Hi,

This is a clone of
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221137

In FreeBSD >=11, ICMP redirect are not sent.
An effective and very simple patch is attached.
To the best of my knowlege and test (tcpdump) ICMP redirect are effectively not sent by pfsense.

According to the bug, there is no workaround.
Packets are forwarded by pfsense in place of ICMP redirect, which can result in an asymmetric routing and other nasty situations.

According to the roadmap,
https://www.netgate.com/docs/pfsense/releases/versions-of-pfsense-and-freebsd.html
pfsense will stick to 11.2 version for a while.

Is possible to have a backport of such path?

Use case scenario:
- we have 2 pfsense in HA
- we have 2 openvpn gateway in the LAN
- the 2 openvpn gateway are reaching private address
- we cannot/wont move openvpn configuration to the pfsense
Additional info
- puppet is one service in the private address map
- don't filter packets going out in the same interface is flagged
- puppet "sometimes" receive a timeout

Thanks,

Actions

Also available in: Atom PDF