Printable View
Hi:
I have some problem with icmp redirect.
I already set the register key HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirects to 1,
and let icmp redirect bypass the windows firewall.
I checked that gateway send the icmp redirect packet, but it seems
that windows just ignore it.
Thanks.
In news:d3a4a149-54f3-4d0d-8b7f-610efbab1e4d@d19g2000prm.googlegroups.com,
Zealot <Zealot0630@gmail.com> typed:
> Hi:
>
> I have some problem with icmp redirect.
>
> I already set the register key HKEY_LOCAL_MACHINE\SYSTEM
> \CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirects to 1,
> and let icmp redirect bypass the windows firewall.
>
> I checked that gateway send the icmp redirect packet, but it seems
> that windows just ignore it.
>
> Thanks.
What operating system version? It may be ignoring it. Many places offer how
to disable it, such as the following link, but this link also explains why
Windows 2000 will ignore it.
Cannot Disable ICMP Redirects By Changing "EnableICMPRedirect" Registry
Value
http://support.microsoft.com/default...b;en-us;293626
I'm highly curious: What was the design intentions behind it's requirement
in your infrastructure especially using a Windows machine? Reason why I'm
asking is it's normally used for between routers for route information and
it's use is not considered a "best practice," whereas a Windows host simply
has only one default gateway (the router) and the gateway handles routing.
Unless you have multiple gateways?
For those of you out there not familiar with this feature, here you go:
ICMP Redirects explanation:
http://www.cymru.com/gillsr/document...ts-are-bad.htm
A little old, but the idea is the same:
Explanation of ICMP Redirect Behavior
http://support.microsoft.com/kb/q195686/
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Infinite Diversities in Infinite Combinations
On May 17, 9:10 am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
wrote:
> Innews:d3a4a149-54f3-4d0d-8b7f-610efbab1e4d@d19g2000prm.googlegroups.com,
> Zealot <Zealot0...@gmail.com> typed:
>
> > Hi:
>
> > I have some problem with icmpredirect.
>
> > I already set the register key HKEY_LOCAL_MACHINE\SYSTEM
> > \CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirects to 1,
> > and let icmpredirectbypass the windows firewall.
>
> > I checked that gateway send the icmpredirectpacket, but it seems
> > that windows just ignore it.
>
> > Thanks.
>
> What operating system version? It may be ignoring it. Many places offer how
> to disable it, such as the following link, but this link also explains why
> Windows 2000 will ignore it.
>
> Cannot Disable ICMP Redirects By Changing "EnableICMPRedirect" Registry
> Valuehttp://support.microsoft.com/default.aspx?scid=kb;en-us;293626
>
> I'm highly curious: What was the design intentions behind it's requirement
> in your infrastructure especially using a Windows machine? Reason why I'm
> asking is it's normally used for between routers for route information and
> it's use is not considered a "best practice," whereas a Windows host simply
> has only one default gateway (the router) and the gateway handles routing.
> Unless you have multiple gateways?
>
> For those of you out there not familiar with this feature, here you go:
> ICMP Redirects explanation:http://www.cymru.com/gillsr/document...ts-are-bad.htm
>
> A little old, but the idea is the same:
> Explanation of ICMPRedirectBehaviorhttp://support.microsoft.com/kb/q195686/
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> checkhttp://support.microsoft.comfor regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations
Thanks for your reply.
I have tested on Windows XP SP2. It doesn't work. But on linux box, it
works
There are 2 gateways in my innernet. One for internet, the other for
innernet.
I'm using DHCP on the LAN and point default gateway to the internat
gateway,
and the internet gateway forward the packet to innernet gateway. but
there
are some application which requires low latency and high bindwidth
need to
access the service on the other LAN of innernet. It is very hard to
install
route entry on every mechine in the LAN.
In news:7394304a-c24f-47c9-af41-98f63b72524c@q27g2000prf.googlegroups.com,
Zealot <Zealot0630@gmail.com> typed:
> Thanks for your reply.
>
> I have tested on Windows XP SP2. It doesn't work. But on linux box, it
> works
>
> There are 2 gateways in my innernet. One for internet, the other for
> innernet.
> I'm using DHCP on the LAN and point default gateway to the internat
> gateway,
> and the internet gateway forward the packet to innernet gateway. but
> there
> are some application which requires low latency and high bindwidth
> need to
> access the service on the other LAN of innernet. It is very hard to
> install
> route entry on every mechine in the LAN.
I'm not completely following your explanation in relation to the need of
ICMP redirects. I'm trying to follow and understand the differences between
"innernet" and "intranat" as you described it.
From the looks of things, it sounds like a static route configured in your
default gateway router pointing to the "innernet," which I assume you mean
that is a separate subnet on your INTRANET (inside private network) may just
do the trick. If the app is on a server on that subnet, and the server is
defined in DNS or WINS with a private IP on that subnet, a static route will
"redirect" (or simply send) the packet to that other router. Have you tried
that?
Ace
On May 22, 9:54 am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
wrote:
> Innews:7394304a-c24f-47c9-af41-98f63b72524c@q27g2000prf.googlegroups.com,
> Zealot <Zealot0...@gmail.com> typed:
>
>
>
>
>
> > Thanks for your reply.
>
> > I have tested on Windows XP SP2. It doesn't work. But on linux box, it
> > works
>
> > There are 2 gateways in my innernet. One for internet, the other for
> > innernet.
> > I'm using DHCP on the LAN and point default gateway to the internat
> > gateway,
> > and the internet gateway forward the packet to innernet gateway. but
> > there
> > are some application which requires low latency and high bindwidth
> > need to
> > access the service on the other LAN of innernet. It is very hard to
> > install
> > route entry on every mechine in the LAN.
>
> I'm not completely following your explanation in relation to the need of
> ICMP redirects. I'm trying to follow and understand the differences between
> "innernet" and "intranat" as you described it.
>
> From the looks of things, it sounds like a static route configured in your
> default gateway router pointing to the "innernet," which I assume you mean
> that is a separate subnet on your INTRANET (inside private network) may just
> do the trick. If the app is on a server on that subnet, and the server is
> defined in DNS or WINS with a private IP on that subnet, a static route will
> "redirect" (or simply send) the packet to that other router. Have you tried
> that?
>
> Ace- Hide quoted text -
>
> - Show quoted text -
Yes, I already set up a static routing entry on the default gateway
pointing to the innernet gateway, but it takes an unnecessary hop from
default gateway to innernet gateway. I want the packet go directly to
the innernet gateway or there will be bandwidth and latency problems.
Set up a static routing entry on every machine can solve this problem,
but as I mentioned, a lot of work will be taken to set up a static
routing entry on every machine in the LAN. So I'm considering ICMP
redirect as a simple solution.
"Zealot" <Zealot0630@gmail.com> wrote in message
news:2f1daac0-621c-420f-8737-e0c7254fd2fd@p25g2000pri.googlegroups.com...
On May 22, 9:54 am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
wrote:
> Innews:7394304a-c24f-47c9-af41-98f63b72524c@q27g2000prf.googlegroups.com,
> Zealot <Zealot0...@gmail.com> typed:
>
>
>
>
>
> > Thanks for your reply.
>
> > I have tested on Windows XP SP2. It doesn't work. But on linux box, it
> > works
>
> > There are 2 gateways in my innernet. One for internet, the other for
> > innernet.
> > I'm using DHCP on the LAN and point default gateway to the internat
> > gateway,
> > and the internet gateway forward the packet to innernet gateway. but
> > there
> > are some application which requires low latency and high bindwidth
> > need to
> > access the service on the other LAN of innernet. It is very hard to
> > install
> > route entry on every mechine in the LAN.
>
> I'm not completely following your explanation in relation to the need of
> ICMP redirects. I'm trying to follow and understand the differences
> between
> "innernet" and "intranat" as you described it.
>
> From the looks of things, it sounds like a static route configured in your
> default gateway router pointing to the "innernet," which I assume you mean
> that is a separate subnet on your INTRANET (inside private network) may
> just
> do the trick. If the app is on a server on that subnet, and the server is
> defined in DNS or WINS with a private IP on that subnet, a static route
> will
> "redirect" (or simply send) the packet to that other router. Have you
> tried
> that?
>
> Ace- Hide quoted text -
>
> - Show quoted text -
>Yes, I already set up a static routing entry on the default gateway
>pointing to the innernet gateway, but it takes an unnecessary hop from
>default gateway to innernet gateway. I want the packet go directly to
>the innernet gateway or there will be bandwidth and latency problems.
>Set up a static routing entry on every machine can solve this problem,
>but as I mentioned, a lot of work will be taken to set up a static
>routing entry on every machine in the LAN. So I'm considering ICMP
>redirect as a simple solution.
Ok. You have the static route in place and the traffic is being
redirected.
You also have ICMPRedirect enabled on the workstation.
Are you saying that the static route is not being added to the
workstation's routing table?
When the router redirects the packet, it will also send an ICMP redirect
message to the workstation. If EnableICMPRedirect is set the route should be
added to the routing table of the workstation, so that next time it needs to
access the intranet subnet it will have a route to access it by the
alternate gateway.
Have you checked the routing table on the workstation soon after a
redirect to see if the route is there? The route is not persistent. It will
disappear after a while if it is not used (about ten minutes, i think).
If you want a persistent route you will need to add it to each
workstation as a persistent static route.
On May 22, 1:57 pm, "Bill Grant" <not.available@online> wrote:
> "Zealot" <Zealot0...@gmail.com> wrote in message
>
> news:2f1daac0-621c-420f-8737-e0c7254fd2fd@p25g2000pri.googlegroups.com...
> On May 22, 9:54 am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
> wrote:
>
>
>
>
>
> > Innews:7394304a-c24f-47c9-af41-98f63b72524c@q27g2000prf.googlegroups.com,
> > Zealot <Zealot0...@gmail.com> typed:
>
> > > Thanks for your reply.
>
> > > I have tested on Windows XP SP2. It doesn't work. But on linux box, it
> > > works
>
> > > There are 2 gateways in my innernet. One for internet, the other for
> > > innernet.
> > > I'm using DHCP on the LAN and point default gateway to the internat
> > > gateway,
> > > and the internet gateway forward the packet to innernet gateway. but
> > > there
> > > are some application which requires low latency and high bindwidth
> > > need to
> > > access the service on the other LAN of innernet. It is very hard to
> > > install
> > > route entry on every mechine in the LAN.
>
> > I'm not completely following your explanation in relation to the need of
> > ICMP redirects. I'm trying to follow and understand the differences
> > between
> > "innernet" and "intranat" as you described it.
>
> > From the looks of things, it sounds like a static route configured in your
> > default gateway router pointing to the "innernet," which I assume you mean
> > that is a separate subnet on your INTRANET (inside private network) may
> > just
> > do the trick. If the app is on a server on that subnet, and the server is
> > defined in DNS or WINS with a private IP on that subnet, a static route
> > will
> > "redirect" (or simply send) the packet to that other router. Have you
> > tried
> > that?
>
> > Ace- Hide quoted text -
>
> > - Show quoted text -
> >Yes, I already set up a static routing entry on the default gateway
> >pointing to the innernet gateway, but it takes an unnecessary hop from
> >default gateway to innernet gateway. I want the packet go directly to
> >the innernet gateway or there will be bandwidth and latency problems.
> >Set up a static routing entry on every machine can solve this problem,
> >but as I mentioned, a lot of work will be taken to set up a static
> >routing entry on every machine in the LAN. So I'm considering ICMP
> >redirect as a simple solution.
>
> Ok. You have the static route in place and the traffic is being
> redirected.
> You also have ICMPRedirect enabled on the workstation.
> Are you saying that the static route is not being added to the
> workstation's routing table?
>
> When the router redirects the packet, it will also send an ICMP redirect
> message to the workstation. If EnableICMPRedirect is set the route should be
> added to the routing table of the workstation, so that next time it needs to
> access the intranet subnet it will have a route to access it by the
> alternate gateway.
>
> Have you checked the routing table on the workstation soon after a
> redirect to see if the route is there? The route is not persistent. It will
> disappear after a while if it is not used (about ten minutes, i think).
>
> If you want a persistent route you will need to add it to each
> workstation as a persistent static route.- Hide quoted text -
>
> - Show quoted text -
Using tcpdump, I can figure out that the ICMP packet have send
properly from the gateway to the workstation, but the WinXP
workstation seems ignore it. I checked that there are no routing entry
set up on the workstation. And in the same LAN, when use Debian Linux
workstation, it works properly, as soon as it receive the ICMP
redirect packet, it send packet to innernet gateway directly.
In news:e203305b-0a0b-4ff8-90d8-179df32723d9@b5g2000pri.googlegroups.com,
Zealot <Zealot0630@gmail.com> typed:
> Using tcpdump, I can figure out that the ICMP packet have send
> properly from the gateway to the workstation, but the WinXP
> workstation seems ignore it. I checked that there are no routing entry
> set up on the workstation. And in the same LAN, when use Debian Linux
> workstation, it works properly, as soon as it receive the ICMP
> redirect packet, it send packet to innernet gateway directly.
You can create the static route on all workstations, by creating a batch
file and placing it in your logon script for those users.
Ace
I agree, another option is to add static routes on the gateway.
Or use the dhcp-server for configuration of the workstations. One of the options of the dhcp-protocol is to send an extra static route to the workstations in addition to the usual ip, subnet, gateway and dns.