Outgoing packets being sent via wrong interface

Daniel Bilik ddb at neosystem.org
Fri Nov 27 09:18:09 UTC 2015 

On Wed, 25 Nov 2015 12:20:33 +0000
Gary Palmer <gpalmer at freebsd.org> wrote:

> route -n get <unreachable IP>

As suggested by Kevin and Ryan, I set the router to drop redirects...

net.inet.icmp.drop_redirect: 1

... but it happened again today, and again affected host was 192.168.2.33.
Routing and arp entries were correct. Output of "route -n get"...

   route to: 192.168.2.33
destination: 192.168.2.0
       mask: 255.255.255.0
        fib: 0
  interface: re1
      flags: <UP,DONE,PINNED>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0 

... has not changed during the problem.

Interesting was ping result...

PING 192.168.2.33 (192.168.2.33): 56 data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
...
64 bytes from 192.168.2.33: icmp_seq=11 ttl=128 time=0.593 ms
ping: sendto: Operation not permitted
...
64 bytes from 192.168.2.33: icmp_seq=20 ttl=128 time=0.275 ms
64 bytes from 192.168.2.33: icmp_seq=21 ttl=128 time=0.251 ms
ping: sendto: Operation not permitted
...
64 bytes from 192.168.2.33: icmp_seq=40 ttl=128 time=0.245 ms
ping: sendto: Operation not permitted
64 bytes from 192.168.2.33: icmp_seq=42 ttl=128 time=7.111 ms
ping: sendto: Operation not permitted
...
--- 192.168.2.33 ping statistics ---
46 packets transmitted, 5 packets received, 89.1% packet loss

It seems _some_ packets go the right interface (re1), but most
try to go wrong (re0) and are dropped by pf...

00:00:01.066886 rule 53..16777216/0(match): block out on re0: 82.x.y.50 > 192.168.2.33: ICMP echo request, id 58628, seq 39, length 64
00:00:02.017874 rule 53..16777216/0(match): block out on re0: 82.x.y.50 > 192.168.2.33: ICMP echo request, id 58628, seq 41, length 64
00:00:02.069634 rule 53..16777216/0(match): block out on re0: 82.x.y.50 > 192.168.2.33: ICMP echo request, id 58628, seq 43, length 64

And again, refreshing default route (delete default / add default)
resolved it...

PING 192.168.2.33 (192.168.2.33): 56 data bytes
64 bytes from 192.168.2.33: icmp_seq=0 ttl=128 time=0.496 ms
64 bytes from 192.168.2.33: icmp_seq=1 ttl=128 time=0.226 ms
64 bytes from 192.168.2.33: icmp_seq=2 ttl=128 time=0.242 ms
64 bytes from 192.168.2.33: icmp_seq=3 ttl=128 time=0.226 ms

--
						Dan

More information about the freebsd-net mailing list