Hey all,
I'm wondering if anyone has some ideas on this... sorry for the long post
I have 2 NAT boxes. Each box is connected to the Internet differently. As such, 99% of requests go through box 1. But, box#2 is connected to a special network that must be used to contact the second network (vpn stuff).
I've added a route on NAT box 1 to use box 2 for requests to this special network. And, if I'm on box #1 and ping and IP for this special network, it correctly goes through box #2.
However, if I go to any workstation on the internal network that uses box#1 as default gw and attempt to ping a server on this special network, it correctly gets the ICMP redirect to the new gateway, but never actually uses it. I've tried this on NT and Linux workstations.
I've dropped all necessary firewalls for this test. I've also made sure that accept_redirect is enabled and secure_redirect and send_direct is off on my Linux workstation. I also made sure that send_redirect is enabled and secure_redirect/accept redirect is off on my #1 nat box.
With tcpdump I see something like this on the NAT server:
eth1 < 192.168.3.13 > 192.168.200.1: icmp: echo request
ech1 > 192.168.4.135 > 192.168.3.13: icmp: redirect 192.168.200.1 to host 192.168.0.2 [tos 0xc0]
On the Linux workstation I see almost the exact same thing. For the ping results I see something like this:
From gateway1 (192.168.4.135): Redirect Host (New nexthop: gateway2 (192.168.0.2))
And that's it... a quick check in route -n -C shows the route for the special network IP going to the wrong gateway. I've flushed the table manually, and the same wrong route appears after each test.
So, what else should I add. I've already added the extra route to the extra network on Nat#1. I doublechecked the send/accept_redirect flags in /proc. And, if I manually add the route for the Nat#2 on any of the workstations, I *can* successfully ping the special network. Also, I really don't want to go to each workstation and add a second gateway manually. I was kinda hoping this icmp redirect would do it for me. I realize it'll generate more traffic. It's not that big a deal right now...
It seems like the Nat#1 isn't sending a correctly configured icmp_redirect (since neither NT nor Linux will use it). But, I can't see anything else wrong.... does this require some extra kernel option to work correctly? Any ideas? I've tried the NAT#1 on RH6.2 with 2.2.14-5.0 kernel, and the lastest 2.2.19 kernel -- same results.
Thanks for any help
Jon