LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-31-2016, 11:51 AM   #1
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,711
Blog Entries: 4

Rep: Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949
Unwanted "redirect host" on port forwarding (Fortinet router)


I have the following very-ordinary (OpenVPN) situation, but when I set up the necessary static-routing command on the client's Fortinet router, I am getting a Redirect Host response to ping. I have no idea why this is occurring.

Here's the setup:
  • The client's internal network is 10.20.30.x.
  • The remote subnet that's accessible through OpenVPN is 10.11.12.x.
  • All computers see 10.20.30.1 as their default gateway, which is the Fortinet device.
  • A computer on the internal network at 10.20.30.18 is set up to run OpenVPN and to act as the secure router to that subnet.
  • The necessary OpenVPN route and iroute mojo (and ifup route commands elsewhere in the secure network) have been set up in a known-good configuration.
  • A static route is defined on the Fortinet, leading to 10.11.12/24 and specifying 10.20.30.18 as the gateway.
Basic OpenVPN connectivity is known to have been established. On 10.20.30.18, a local user can see and "ping" the secure subnet.

The trouble is, on any other computer on the 10.20.30.x internal network, the Fortinet responds to a (say ...) ping 10.11.22.1 request with a Redirect Host response referring to 10.20.30.18. It does not forward the traffic.

Quote:
Originally Posted by RFC 792 (Internet Protocol):
The gateway sends a redirect message to a host in the following situation. A gateway, G1, receives an internet datagram from a host on a network to which the gateway is attached. The gateway, G1, checks its routing table and obtains the address of the next gateway, G2, on the route to the datagram's internet destination network, X. If G2 and the host identified by the internet source address of the datagram are on the same network, a redirect message is sent to the host. The redirect message advises the host to send its traffic for network X directly to gateway G2 as this is a shorter path to the destination. The gateway forwards the original datagram's data to its internet destination.
While it is entirely true that any computer on that network could (if the user had administrative privileges ...) define a route 10.11.12.0/24 --gw 10.20.30.18 on their own machines and reach the secure subnet, and while it is also true that such would indeed be "a shorter path," it's not what I want the Fortinet to do. I just want it to do what I told it to do. It does not matter that another accessible gateway could be "the" gateway. I want it to "just forward the traffic, dammit!"

Any Fortinet gurus out there who can tell me what to do about this?

To me, this would seem to simply be a case of "a certain device on the local network is 'a router' that leads to a remote subnet." A static route on another router, leading to that one, ought to "just work," whether or not it is an "extra" hop. Fact is, all routers are necessarily present on "the local network."
 
Old 11-02-2016, 02:52 PM   #2
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,860

Rep: Reputation: 162Reputation: 162
For OpenVPN tunnel, what's inner network, 10.11.12.x? What's outer network, 10.20.30.x?
 
Old 11-02-2016, 06:33 PM   #3
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian 6+, CentOS 5+
Posts: 1,323

Rep: Reputation: 100Reputation: 100
Is it a policy based route ? http://www.plaintutorials.com/policy...gate-firewall/

I might consider just pushing the route by dhcp.

If you want to continue investigating then I would start looking at the traffic with a packet capture. Is the host redirecting the traffic, is the fortigate forwarding I'it?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to get the port number of the "ajp13" service running on host master? atirasatiras Linux - Server 1 04-01-2011 04:32 AM
ssh / sshd config: how enable "tunneling with port forwarding on the network"? frenchn00b Linux - Server 1 08-30-2009 01:57 PM
Connect from home to a computer inside an "external" LAN using port forwarding horacioemilio Linux - Networking 1 03-07-2008 03:36 AM
IPcop, port forwarding, "network" lothario Linux - Networking 2 03-17-2007 08:30 PM
a/p connected, route correct, ping router: "Destination Host Unreachable". DebianEtch shinyblue Linux - Wireless Networking 1 08-29-2006 09:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration