Understanding and Resolving ICMP Redirect Host Issues in Multi-Subnet Linux Router Configurations


1 views

In your current setup with Debian as a router handling 4 subnets (10.1.1.0/24 through 10.1.4.0/24) on a single physical interface using virtual interfaces (eth1:0-eth1:2), you're experiencing ICMP Redirect Host messages when attempting to ping between hosts on different logical subnets:

92 bytes from router2.mydomain.com (10.1.2.1): Redirect Host(New addr: 10.1.1.12)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 81d4   0 0000  3f  01 e2b3 10.1.2.20  10.1.1.12

ICMP Redirect messages (Type 5) occur when a router detects that a host is using a suboptimal path. In your case, the Linux kernel sees that:

  • Both hosts (10.1.2.20 and 10.1.1.12) are physically reachable via the same interface (eth1)
  • The packet is being routed through the router's IP stack when it could go directly
  • The subnets are different (10.1.2.0/24 vs 10.1.1.0/24) but share the same physical medium

Your virtual interface approach creates an artificial network segmentation while maintaining layer 2 connectivity. The kernel's routing logic detects that the destination (10.1.1.12) is reachable at layer 2 without requiring routing through 10.1.2.1.

# Kernel sees these routes for the same physical interface:
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.1.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1

Option 1: Disable ICMP Redirects

Since this is an intended multi-subnet configuration, you can safely disable redirects:

# Temporarily disable
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Make permanent (add to /etc/sysctl.conf)
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Option 2: Proper VLAN Segmentation

For true network separation, consider implementing VLANs:

# Install VLAN package
apt-get install vlan

# Configure VLAN interfaces
vconfig add eth1 1
vconfig add eth1 2
ifconfig eth1.1 10.1.1.1 netmask 255.255.255.0 up
ifconfig eth1.2 10.1.2.1 netmask 255.255.255.0 up

Option 3: ARP Proxy

Enable proxy ARP for specific cases:

echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

After applying changes, verify with:

# Check redirect settings
cat /proc/sys/net/ipv4/conf/eth1/send_redirects

# Test connectivity
tcpdump -i eth1 icmp
ping -c 4 10.1.1.12

Consider adding specific route metrics to influence path selection:

ip route add 10.1.1.0/24 dev eth1 metric 100
ip route add 10.1.2.0/24 dev eth1 metric 200

Be aware that disabling ICMP redirects or using proxy ARP affects security posture. Evaluate these changes against your security requirements, especially in environments requiring strict network segmentation.

When attempting to ping between hosts across virtual subnets (10.1.2.20 → 10.1.1.12) through your Debian router, you're experiencing ICMP Redirect Host messages. This occurs when:

  • The router detects that the source and destination hosts are physically on the same network segment
  • There exists a more direct path between the hosts than through the router
  • The router's interfaces share the same MAC address (visible in your ifconfig output)

The core issue stems from your network configuration where:

# All virtual interfaces share eth1's MAC:
eth1:     HWaddr 94:0c:6d:82:0d:98
eth1:0:   HWaddr 94:0c:6d:82:0d:98  
eth1:1:   HWaddr 94:0c:6d:82:0d:98
eth1:2:   HWaddr 94:0c:6d:82:0d:98

Despite having different IP subnets, these hosts are physically on the same Layer 2 broadcast domain. The router correctly identifies that 10.1.2.20 could reach 10.1.1.12 directly without routing, hence the ICMP redirect.

Option 1: Disable ICMP Redirects (Quick Fix)

# Temporary solution (won't persist after reboot)
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Permanent solution (add to /etc/sysctl.conf)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

Option 2: Proper VLAN Segmentation (Recommended)

Configure proper 802.1Q VLAN tagging instead of IP aliases:

# Install VLAN package
apt install vlan

# Configure VLAN interfaces
vconfig add eth1 10
vconfig add eth1 20
vconfig add eth1 30
vconfig add eth1 40

# Assign IPs to VLAN interfaces
ifconfig eth1.10 10.1.1.1/24 up
ifconfig eth1.20 10.1.2.1/24 up
ifconfig eth1.30 10.1.3.1/24 up
ifconfig eth1.40 10.1.4.1/24 up

Your current routing table shows correct subnet segmentation:

10.1.4.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.1.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.1.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1

However, the physical layer topology contradicts this logical separation.

The issue manifests in ARP cache behavior. When 10.1.2.20 tries to reach 10.1.1.12:

  1. Host checks subnet mask (255.255.255.0)
  2. Determines destination is on different subnet
  3. Sends packet to default gateway (10.1.2.1)
  4. Router sees both hosts are reachable via eth1
  5. Sends ICMP redirect suggesting direct communication

For production environments, consider:

# Create separate bridge for each subnet
brctl addbr br1
brctl addbr br2
brctl addbr br3
brctl addbr br4

# Assign physical interfaces (requires multiple NICs)
brctl addif br1 eth1
brctl addif br2 eth2
brctl addif br3 eth3
brctl addif br4 eth4

# Configure IPs on bridges
ifconfig br1 10.1.1.1/24 up
ifconfig br2 10.1.2.1/24 up
ifconfig br3 10.1.3.1/24 up
ifconfig br4 10.1.4.1/24 up

This provides true Layer 2 isolation while maintaining routing functionality.