Static Routes not presented to dhcp clients?
Ferretcomp
Newbie

I have a static route setup for a different network behind a pfsense box, and none of the dhcp clients on the router get that route passed to them. Is there a checkbox I missed, or is it a shortcoming of the FiOS-G1100 router? Thanks in advance for any info!

0 Likes
1 Solution

Correct answers
Re: Static Routes not presented to dhcp clients?
lasagna
Community Leader
Community Leader

You are incorrectly understanding how routing and DHCP works.

DHCP doesn't distribute routes.  It provides the local IP address for a device to use and provides the "default route" for the device to use to reach it's next-hop router which in most home installations is usually the internet router (and the device providing the DHCP).

By placing a static route into your router, you are telling the router how to reach other networks as well as how to deliver traffic to other networks for traffic which is travelling THRU the router.  In this case, the traffic is not travelling thru the router, but instead is bouncing off the router (since the route points to another device on the same local network as the interface).  In such cases, routers will usually issue an ICMP redirect packet to instruct the system which incorrectly directed local traffic to it to send the traffic to the correct device (and provides the IP address of that device as given by the default route).  The initial system will then process this redirect packet and add a static route to it's own routing table so future packets are sent to the correct device.

In your case, one of two things are likely happening:

1. The G1100 is not issuing ICMP redirects.  Don't know enough about the router to know if this is a configurable option or feature.  But, it's not uncommon for some devices to be configured to not generate these packets as there is security risk associated with doing so.

2. The endpoint device initiating the traffic is receiving, but not honoring, the ICMP redirect.   Many local firewall packages will block these type of packets (so it be issued by the router, but blocked by the PC's firewall software), or the system itself may be configured to ignore them.

The correct way to resolve this is to add a permanent static route to each local device so that it sends the right networks the right router or to rearchitect your local network such that there is only one egress off the local LAN segment (using the pfsense box as the first hop for the network your PC is on and placing the router on a new segment behind the pfsense (this introduces other issues in that you need to make sure the G1100 has the static routing entry for your local LAN segment thru the pfsense).  

If you have packet sniffer software, you can run it on your endpoint and see if the ICMP redirect is being generated if you want to try to get the redirect to work so that you know which device to troubleshoot.  Remember to turn off local firewall software on the device first so nothing gets blocked.

View solution in original post

Re: Static Routes not presented to dhcp clients?
lasagna
Community Leader
Community Leader

You are incorrectly understanding how routing and DHCP works.

DHCP doesn't distribute routes.  It provides the local IP address for a device to use and provides the "default route" for the device to use to reach it's next-hop router which in most home installations is usually the internet router (and the device providing the DHCP).

By placing a static route into your router, you are telling the router how to reach other networks as well as how to deliver traffic to other networks for traffic which is travelling THRU the router.  In this case, the traffic is not travelling thru the router, but instead is bouncing off the router (since the route points to another device on the same local network as the interface).  In such cases, routers will usually issue an ICMP redirect packet to instruct the system which incorrectly directed local traffic to it to send the traffic to the correct device (and provides the IP address of that device as given by the default route).  The initial system will then process this redirect packet and add a static route to it's own routing table so future packets are sent to the correct device.

In your case, one of two things are likely happening:

1. The G1100 is not issuing ICMP redirects.  Don't know enough about the router to know if this is a configurable option or feature.  But, it's not uncommon for some devices to be configured to not generate these packets as there is security risk associated with doing so.

2. The endpoint device initiating the traffic is receiving, but not honoring, the ICMP redirect.   Many local firewall packages will block these type of packets (so it be issued by the router, but blocked by the PC's firewall software), or the system itself may be configured to ignore them.

The correct way to resolve this is to add a permanent static route to each local device so that it sends the right networks the right router or to rearchitect your local network such that there is only one egress off the local LAN segment (using the pfsense box as the first hop for the network your PC is on and placing the router on a new segment behind the pfsense (this introduces other issues in that you need to make sure the G1100 has the static routing entry for your local LAN segment thru the pfsense).  

If you have packet sniffer software, you can run it on your endpoint and see if the ICMP redirect is being generated if you want to try to get the redirect to work so that you know which device to troubleshoot.  Remember to turn off local firewall software on the device first so nothing gets blocked.

Re: Static Routes not presented to dhcp clients?
Brimmstone
Newbie

Static routes can most certainly be distributed to DHCP clients via Option 121 specified in RFC 3442 (https://tools.ietf.org/html/rfc3442).  Furthermore, most endpoints don't accept ICMP redirects because they are a giant gaping security hole.  ICMP messages are not authenticated and therefore the ICMP redirects make it trivial to set up a man-in-the-middle attack and intercept all traffic to/from an endpoint/subnet.

For what it's worth, the older ActionTec routers seemed to handle this properly.

0 Likes
Re: Static Routes not presented to dhcp clients?
jonjones1
Legend

@Brimmstonewrote:

Static routes can most certainly be distributed to DHCP clients via Option 121 specified in RFC 3442 (https://tools.ietf.org/html/rfc3442).  Furthermore, most endpoints don't accept ICMP redirects because they are a giant gaping security hole.  ICMP messages are not authenticated and therefore the ICMP redirects make it trivial to set up a man-in-the-middle attack and intercept all traffic to/from an endpoint/subnet.

For what it's worth, the older ActionTec routers seemed to handle this properly.


You are replying to a two years ago post. Long settled or answered.

0 Likes
Re: Static Routes not presented to dhcp clients?
KH-OrnEsh1
Moderator Emeritus

Due to the age of this thread, it will be locked in order to keep discussions current. If you have the same or a similar question/issue we invite you to start a new thread on the topic.

0 Likes