"
Hi,
I have a OPNsense 18.1.13-amd64
no multi-WAN setup and no Firewall rules setup with a specific gateway. but still somehow a static route is ignored for a TCP connection, and goes to the wrong gateway (another gateway on the same interface)
my Destination is in 10.10.0.0/16 (host 10.10.10.32) and should go to 172.23.1.130
if I do a telnet from this host 10.10.10.32 to a host behind my OPnsense, I see the packets to 10.10.10.32 go back via 172.23.1.254 and not 172.23.1.130...
tcpdump::
tcpdump -e -vni vmx4 port 9001
tcpdump: listening on vmx4, link-type EN10MB (Ethernet), capture size 262144 bytes
14:33:31.146357 00:50:28:ec:2d:50 > 00:00:5e:00:01:e8, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 63, id 25813, offset 0, flags [DF], proto TCP (6), length 60)
10.10.10.32.41118 > 172.21.15.56.9001: Flags [\S], cksum 0x3199 (correct), seq 3448980969, win 29200, options [mss 1460,sackOK,TS val 2772850772 ecr 0,nop,wscale 7], length 0
14:33:31.146599 00:50:56:86:2c:cf > f4:8e:38:02:6c:3c, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 60)
172.21.15.56.9001 > 10.10.10.32.41118: Flags [\S.], cksum 0xd719 (correct), seq 2133773862, ack 3448980970, win 28960, options [mss 1460,sackOK,TS val 696378503 ecr 2772850772,nop,wscale 7], length 0
arp table:
root@fw-int01:/tmp # arp -an |grep f4:8e:38:02:6c:3c
? (172.23.1.254) at f4:8e:38:02:6c:3c on vmx4 expires in 1129 seconds [ethernet] < wrong
root@fw-int01:/tmp # arp -an | grep 00:50:28:ec:2d:50
? (172.23.1.131) at 00:50:28:ec:2d:50 on vmx4 expires in 1162 seconds [ethernet] < correct firewall for 10.10.0.0
arp -an |grep 172.23.1.130
? (172.23.1.130) at 00:00:5e:00:01:84 on vmx4 expires in 225 seconds [ethernet] < correct gateway
My Routing table:
netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 172.23.0.100 UGS vmx2
10.0.0.0/8 172.23.1.254 UGS vmx4
10.10.0.0/16 172.23.1.130 UGS vmx4
100.64.0.0/10 172.23.1.254 UGS vmx4
100.64.1.108 link#6 UHS lo0
100.64.1.108/31 link#6 U vmx5
127.0.0.1 link#7 UH lo0
155.195.219.112/28 172.23.1.108 UGS vmx4
172.16.0.0/12 172.23.1.254 UGS vmx4
172.21.15.0/24 link#4 U vmx3
172.21.15.1 link#4 UHS lo0
172.21.15.2 link#4 UHS lo0
172.21.16.0/24 link#2 U vmx1
172.21.16.1 link#2 UHS lo0
172.21.16.2 link#2 UHS lo0
172.23.0.0/24 link#3 U vmx2
172.23.0.230 link#3 UHS lo0
172.23.0.231 link#3 UHS lo0
172.23.1.0/24 link#5 U vmx4
172.23.1.230 link#5 UHS lo0
172.23.1.231 link#5 UHS lo0
172.24.119.0/24 172.23.1.108 UGS vmx4
172.25.0.0/20 link#1 U vmx0
172.25.0.230 link#1 UHS lo0
172.25.0.231 link#1 UHS lo0
192.168.0.0/16 172.23.1.254 UGS vmx4
192.168.175.0/24 172.23.1.108 UGS vmx4
194.55.40.0/24 172.23.1.108 UGS vmx4
194.55.42.0/24 172.23.1.108 UGS vmx4
194.55.43.0/24 172.23.1.108 UGS vmx4
194.55.48.0/24 172.23.1.108 UGS vmx4
194.55.49.0/24 172.23.1.108 UGS vmx4
194.55.100.0/24 172.23.1.108 UGS vmx4
can there be some icmp redirect poisoning or some other explanation for this?
Thanks for your ideas!
I have a OPNsense 18.1.13-amd64
no multi-WAN setup and no Firewall rules setup with a specific gateway. but still somehow a static route is ignored for a TCP connection, and goes to the wrong gateway (another gateway on the same interface)
my Destination is in 10.10.0.0/16 (host 10.10.10.32) and should go to 172.23.1.130
if I do a telnet from this host 10.10.10.32 to a host behind my OPnsense, I see the packets to 10.10.10.32 go back via 172.23.1.254 and not 172.23.1.130...
tcpdump::
tcpdump -e -vni vmx4 port 9001
tcpdump: listening on vmx4, link-type EN10MB (Ethernet), capture size 262144 bytes
14:33:31.146357 00:50:28:ec:2d:50 > 00:00:5e:00:01:e8, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 63, id 25813, offset 0, flags [DF], proto TCP (6), length 60)
10.10.10.32.41118 > 172.21.15.56.9001: Flags [\S], cksum 0x3199 (correct), seq 3448980969, win 29200, options [mss 1460,sackOK,TS val 2772850772 ecr 0,nop,wscale 7], length 0
14:33:31.146599 00:50:56:86:2c:cf > f4:8e:38:02:6c:3c, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 60)
172.21.15.56.9001 > 10.10.10.32.41118: Flags [\S.], cksum 0xd719 (correct), seq 2133773862, ack 3448980970, win 28960, options [mss 1460,sackOK,TS val 696378503 ecr 2772850772,nop,wscale 7], length 0
arp table:
root@fw-int01:/tmp # arp -an |grep f4:8e:38:02:6c:3c
? (172.23.1.254) at f4:8e:38:02:6c:3c on vmx4 expires in 1129 seconds [ethernet] < wrong
root@fw-int01:/tmp # arp -an | grep 00:50:28:ec:2d:50
? (172.23.1.131) at 00:50:28:ec:2d:50 on vmx4 expires in 1162 seconds [ethernet] < correct firewall for 10.10.0.0
arp -an |grep 172.23.1.130
? (172.23.1.130) at 00:00:5e:00:01:84 on vmx4 expires in 225 seconds [ethernet] < correct gateway
My Routing table:
netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 172.23.0.100 UGS vmx2
10.0.0.0/8 172.23.1.254 UGS vmx4
10.10.0.0/16 172.23.1.130 UGS vmx4
100.64.0.0/10 172.23.1.254 UGS vmx4
100.64.1.108 link#6 UHS lo0
100.64.1.108/31 link#6 U vmx5
127.0.0.1 link#7 UH lo0
155.195.219.112/28 172.23.1.108 UGS vmx4
172.16.0.0/12 172.23.1.254 UGS vmx4
172.21.15.0/24 link#4 U vmx3
172.21.15.1 link#4 UHS lo0
172.21.15.2 link#4 UHS lo0
172.21.16.0/24 link#2 U vmx1
172.21.16.1 link#2 UHS lo0
172.21.16.2 link#2 UHS lo0
172.23.0.0/24 link#3 U vmx2
172.23.0.230 link#3 UHS lo0
172.23.0.231 link#3 UHS lo0
172.23.1.0/24 link#5 U vmx4
172.23.1.230 link#5 UHS lo0
172.23.1.231 link#5 UHS lo0
172.24.119.0/24 172.23.1.108 UGS vmx4
172.25.0.0/20 link#1 U vmx0
172.25.0.230 link#1 UHS lo0
172.25.0.231 link#1 UHS lo0
192.168.0.0/16 172.23.1.254 UGS vmx4
192.168.175.0/24 172.23.1.108 UGS vmx4
194.55.40.0/24 172.23.1.108 UGS vmx4
194.55.42.0/24 172.23.1.108 UGS vmx4
194.55.43.0/24 172.23.1.108 UGS vmx4
194.55.48.0/24 172.23.1.108 UGS vmx4
194.55.49.0/24 172.23.1.108 UGS vmx4
194.55.100.0/24 172.23.1.108 UGS vmx4
can there be some icmp redirect poisoning or some other explanation for this?
Thanks for your ideas!
