tubular031
Posts: 15
Joined: Mon Jul 28, 2014 8:34 pm

weird routing

Mon Jul 28, 2014 8:40 pm

Been playing with the PI for a few days now. I am running raspbain the most current. Its on 192.168.131.0/24 the gateway is 192.168.131.254. My PI is getting an address and all local access seems fine. I have an IPsec vpn to 10.1.2.0/24. I can ping and work across the VPN all day no prob on my windows box. From the PI I try to ping 10.1.2.20 and I get 1 reply then destination timed out. Not sure what is going on here.

route -n shows my gate way as 192.168.131.254 as it should be

pi@raspberrypi ~ $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.131.254 0.0.0.0 UG 0 0 0 eth0
192.168.131.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

Ping output

pi@raspberrypi ~ $ ping 10.1.2.20
PING 10.1.2.20 (10.1.2.20) 56(84) bytes of data.
From 192.168.131.254: icmp_seq=1 Redirect Host(New nexthop: 10.1.2.20)
64 bytes from 10.1.2.20: icmp_req=1 ttl=126 time=11.9 ms
From 192.168.131.202 icmp_seq=2 Destination Host Unreachable
From 192.168.131.202 icmp_seq=3 Destination Host Unreachable
From 192.168.131.202 icmp_seq=4 Destination Host Unreachable
^C
--- 10.1.2.20 ping statistics ---
6 packets transmitted, 1 received, +3 errors, 83% packet loss, time 5006ms
rtt min/avg/max/mdev = 11.932/11.932/11.932/0.000 ms, pipe 3
pi@raspberrypi ~ $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.131.254 0.0.0.0 UG 0 0 0 eth0
192.168.131.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

Any ideas?

tubular031
Posts: 15
Joined: Mon Jul 28, 2014 8:34 pm

Re: weird routing

Tue Jul 29, 2014 1:40 pm

when I ping the pi from the 10.1.2.0/24 network I see similar results. One ping response and the rest time out.

User avatar
AndrewS
Posts: 3625
Joined: Sun Apr 22, 2012 4:50 pm
Location: Cambridge, UK
Contact: Website

Re: weird routing

Tue Jul 29, 2014 4:24 pm

I know very little about VPNs :oops: but does it work any better if you explicitly add a route for the 10.1.2.0 network?

User avatar
emgi
Posts: 357
Joined: Thu Nov 07, 2013 4:08 pm
Location: NL

Re: weird routing

Tue Jul 29, 2014 5:08 pm

Interesting problem and as usual with very little info. :|

Fortunately there is a clue in the output:
From 192.168.131.254: icmp_seq=1 Redirect Host(New nexthop: 10.1.2.20)

The "Redirect Host" tells me the VPN router "thinks" the destination is somehow directly connected.
From experience I know the Pi does not handle ICMP redirects like your windows machine does but this is not as it should be.
It does explain why your windows machine is working ok.
The suggested fix (to add a static route for the 10.x network) may not solve the problem but its still worth trying.
Otherwise you need to check the configuration of your VPN connection.
This could introduce a performance improvement for the windows box as well when the redirects are no longer sent.

/emgi

tubular031
Posts: 15
Joined: Mon Jul 28, 2014 8:34 pm

Re: weird routing

Wed Jul 30, 2014 4:00 pm

Added the static route and same outcome. I have had many other linux appliances behind the firewall and they all seem to not care about the IPsec VPN. None that I know were on debian. Most are cent,redhat,vmware esx/esxi(whatever they are running these days), freebsd. I was going to try deploying ubuntu to see if it reacted the same way. Not a big deal yet, but it could be for anyone beyond the home user that is trying to use a pi across a tunneled layer 3 connection.

User avatar
emgi
Posts: 357
Joined: Thu Nov 07, 2013 4:08 pm
Location: NL

Re: weird routing

Thu Jul 31, 2014 8:55 am

As a matter of fact, I do have a similar setup in operation with a VPN between my home and my office.
The problem in your case is the ICMP redirect sent by your router.
Typically you would expect this when the VPN terminates on another device in 192.168.131.0..
I hate to ask but this IS indeed the system terminating the VPN is it?

Assuming this is indeed the case, then you should examine why the router (.254) thinks it is necessary to send a redirect message.

/emgi

tubular031
Posts: 15
Joined: Mon Jul 28, 2014 8:34 pm

Re: weird routing

Thu Jul 31, 2014 1:38 pm

I figured out the issue. Its related to a "bug" within pfsense (or maybe freeBSD). In order for the firewall its self to use services from the other end of a vpn tunnel you need to put a static route into its routing table I had a static route in it for 10.1.2.0/24 gateway 192.168.131.254 on the lan interface. I had this route in there because I was testing ldap auth and also for snmp on the internal interface from the other end of the tunnel. Once I disabled this route, I was able to ping to the other end without the redirect.

The only OS's that I have found that seem to care about this is the raspi and some (now most) flavors of android. Windows, centos, redhat, all flavors of esx/esxi dont seem to care and talk across the tunnel fine.

This was not only breaking icmp, but also all other traffic. I could not pull up a webpage hosted on the 10.1.2.0 network (tomcat/vmware, iis, apd PDUs, dell idrac)

Just to say one more time for someone that may stumble onto this in the future, this only bothers the pi and many flavors of android. other OSs seem to not care and will cross the tunnel just fine. This is related to PFsense as a firewall. Most other firewalls out there do not have this bug.

kengineer
Posts: 1
Joined: Thu Aug 07, 2014 2:41 pm

Re: weird routing

Fri Aug 08, 2014 10:29 am

hi there! is it possible to install pfsense in a raspberry pi?what os should I use? and how I can get pfsense to rpi? tnx for your response.. :)

tubular031
Posts: 15
Joined: Mon Jul 28, 2014 8:34 pm

Re: weird routing

Fri Aug 08, 2014 2:05 pm

I dont think so. PFsense is built on freebsd and from what I read they dont have a version for the ARM processors. I run pfsense as a vm on vmware in many places and at home I have an alix board it runs on (netgate). you can run pfsense on an older desktop PC or laptop and you can also live boot from the CD/usb to play with it and not format your computer (becareful!!) I have been using pfsense for a long time. its awesome!

palletboy
Posts: 1
Joined: Wed Aug 05, 2015 8:09 pm

Re: weird routing

Wed Aug 05, 2015 8:13 pm

I was having this exact problem with PFSense/Azure and local Ubuntu servers - but the fix from tubular031 works.

Return to “Troubleshooting”