> net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects Good to know this feature :)
> Are systems behind the firewall able to route to and reach the remote network? Yes all is working. > we could route through the device, but packets that originated from the router were not able to make it through This is also my case >create a static route for the remote network to use the external interface of the remote router as the gateway Is it the best practice to create a static route to allow packet from router (eg: for unbound) to reach the remote LAN ? Even with "ping" Redirect Host "overhead"? Thanks for your feedback ! 2014-02-10 18:01 GMT+01:00 Zach Leslie <[email protected]>: > Are systems behind the firewall able to route to and reach the remote > network? I just built out an environment to do this last week using carp, > and some of the trouble I had was that we could route through the device, > but packets that originated from the router were not able to make it > through. Even though the flows were setup to use the remote gateways, > traffic would still leave for the default gateway. We either had to create > a static route for the remote network to use the external interface of the > remote router as the gateway, or point to the internal carp interface. > There seems to be something funny about the way flows interact with the > routing table at times, and its not quite clear to me why. > > > On Mon, Feb 10, 2014 at 7:43 AM, Aurelien Martin <[email protected]>wrote: > >> Hi Christoph, >> >> Yes it works if the binary handle the interface selection. >> But in my case, unbound is listening on *.20.254 (my local gateway) but >> it can't reach the remote LAN >> It use the default (wan) interface instead of the IPSEC tunnel by default >> >> Cheer, >> Aurelien >> >> Le 02/10/2014 04:31 PM, Christoph Leser a écrit : >> >>> For me it works if I do the 'interface selection' myself, by specifying >>> the -I switch on ping, or -b for ssh. >>> >>> -----Ursprüngliche Nachricht----- >>>> Von: [email protected] [mailto:[email protected]] Im >>>> Auftrag von Aurelien Martin >>>> Gesendet: Montag, 10. Februar 2014 16:10 >>>> An: Mitja MuženiÄ; [email protected] >>>> Betreff: Re: reach a remote LAN through IPSEC from the router >>>> >>>> >>>> Hi Mitja, >>>> >>>> When I add the route manually it's working like a charm. >>>> >>>> But after that, all machines of my LAN ping with this following form >>>> (Redirect Host). What does it mean ? For me the router rewrite the >>>> destination that create an overhead. >>>> >>>> >>>> $ ping 192.168.10.1 >>>> PING 192.168.10.1 (192.168.10.1): 56 data bytes >>>> 36 bytes from 192.168.20.254: Redirect Host(New addr: 192.168.20.254) >>>> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst >>>> 4 5 00 0054 85ff 0 0000 40 01 4b56 192.168.30.2 192.168.10.1 >>>> >>>> >>>> Cheers,Aurelien >>>> >>>> >>>> Le 02/10/2014 04:03 PM, Mitja MuženiÄ a écrit : >>>> >>>>> A simple trick is to add a manual route for the remote LAN to the >>>>> internal interface of your router. >>>>> >>>>> >>>>> -----Original Message----- >>>>>> From: [email protected] [mailto:[email protected]] On >>>>>> Behalf Of Aurelien Martin >>>>>> Sent: Monday, February 10, 2014 3:59 PM >>>>>> To: [email protected] >>>>>> Subject: reach a remote LAN through IPSEC from the router >>>>>> >>>>>> Dear all, >>>>>> >>>>>> I'm linked to another LAN trough IPSEC. Everything is working except, >>>>>> if I try to reach the remote LAN from my OpenBSD router. >>>>>> >>>>>> In this case, the router use the default interface (wan) instead of >>>>>> the IPSEC tunneling. >>>>>> >>>>>> I would like to be able to reach the remote LAN due to a service on >>>>>> the router that need to reach it >>>>>> >>>>>> Please follow the log in attachment (schema-and-logs.txt + >>>>>> ipsec-pf-route.txt) >>>>>> >>>>>> Any idea ? >>>>>> >>>>>> I already try to add a dirty route that's working, but create >>>>>> overhead >>>>>> >>>>>> $ ping 192.168.10.1 >>>>>> PING 192.168.10.1 (192.168.10.1): 56 data bytes >>>>>> 36 bytes from 192.168.20.254: Redirect Host(New addr: >>>>>> 192.168.20.254) >>>>>> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst >>>>>> 4 5 00 0054 85ff 0 0000 40 01 4b56 192.168.20.2 >>>>>> 192.168.10.1 >>>>>> >>>>>> >>>>>> >>>>>> Have a good day >>>>>> Cheers,Aurelien >>>>>> >>>>> >> > > > -- > Zach
