How to *ENABLE* icmp redirect on windows xp workstation ?

Hi:

I have some problem with icmp redirect.

I already set the register key HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\Tcpip\Parameters\Enabl eICMPRedirects to 1,
and let icmp redirect bypass the windows firewall.

I checked that gateway send the icmp redirect packet, but it seems
that windows just ignore it.

Thanks.

In news:d3a4a149-54f3-4d0d-8b7f-(E-Mail Removed),
Zealot <(E-Mail Removed)> typed:
> Hi:
>
> I have some problem with icmp redirect.
>
> I already set the register key HKEY_LOCAL_MACHINE\SYSTEM
> \CurrentControlSet\Services\Tcpip\Parameters\Enabl eICMPRedirects to 1,
> and let icmp redirect bypass the windows firewall.
>
> I checked that gateway send the icmp redirect packet, but it seems
> that windows just ignore it.
>
> Thanks.

What operating system version? It may be ignoring it. Many places offer how
to disable it, such as the following link, but this link also explains why
Windows 2000 will ignore it.

Cannot Disable ICMP Redirects By Changing "EnableICMPRedirect" Registry
Value
http://support.microsoft.com/default...b;en-us;293626


I'm highly curious: What was the design intentions behind it's requirement
in your infrastructure especially using a Windows machine? Reason why I'm
asking is it's normally used for between routers for route information and
it's use is not considered a "best practice," whereas a Windows host simply
has only one default gateway (the router) and the gateway handles routing.
Unless you have multiple gateways?

For those of you out there not familiar with this feature, here you go:
ICMP Redirects explanation:
http://www.cymru.com/gillsr/document...ts-are-bad.htm

A little old, but the idea is the same:
Explanation of ICMP Redirect Behavior
http://support.microsoft.com/kb/q195686/


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

On May 17, 9:10*am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
wrote:
> Innews:d3a4a149-54f3-4d0d-8b7f-(E-Mail Removed),
> Zealot <Zealot0...@gmail.com> typed:
>
> > Hi:
>
> > I have some problem with icmpredirect.
>
> > I already set the register key HKEY_LOCAL_MACHINE\SYSTEM
> > \CurrentControlSet\Services\Tcpip\Parameters\Enabl eICMPRedirects to 1,
> > and let icmpredirectbypass the windows firewall.
>
> > I checked that gateway send the icmpredirectpacket, but it seems
> > that windows just ignore it.
>
> > Thanks.
>
> What operating system version? It may be ignoring it. Many places offer how
> to disable it, such as the following link, but this link also explains why
> Windows 2000 will ignore it.
>
> Cannot Disable ICMP Redirects By Changing "EnableICMPRedirect" Registry
> Valuehttp://support.microsoft.com/default.aspx?scid=kb;en-us;293626
>
> I'm highly curious: What was the design intentions behind it's requirement
> in your infrastructure especially using a Windows machine? Reason why I'm
> asking is it's normally used for between routers for route information and
> it's use is not considered a "best practice," whereas a Windows host simply
> has only one default gateway (the router) and the gateway handles routing.
> Unless you have multiple gateways?
>
> For those of you out there not familiar with this feature, here you go:
> ICMP Redirects explanation:http://www.cymru.com/gillsr/document...ts-are-bad.htm
>
> A little old, but the idea is the same:
> Explanation of ICMPRedirectBehaviorhttp://support.microsoft.com/kb/q195686/
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> checkhttp://support.microsoft.comfor regional support phone numbers.
>
> Infinite Diversities in Infinite Combinations

Thanks for your reply.

I have tested on Windows XP SP2. It doesn't work. But on linux box, it
works

There are 2 gateways in my innernet. One for internet, the other for
innernet.
I'm using DHCP on the LAN and point default gateway to the internat
gateway,
and the internet gateway forward the packet to innernet gateway. but
there
are some application which requires low latency and high bindwidth
need to
access the service on the other LAN of innernet. It is very hard to
install
route entry on every mechine in the LAN.

In news:7394304a-c24f-47c9-af41-(E-Mail Removed),
Zealot <(E-Mail Removed)> typed:
> Thanks for your reply.
>
> I have tested on Windows XP SP2. It doesn't work. But on linux box, it
> works
>
> There are 2 gateways in my innernet. One for internet, the other for
> innernet.
> I'm using DHCP on the LAN and point default gateway to the internat
> gateway,
> and the internet gateway forward the packet to innernet gateway. but
> there
> are some application which requires low latency and high bindwidth
> need to
> access the service on the other LAN of innernet. It is very hard to
> install
> route entry on every mechine in the LAN.

I'm not completely following your explanation in relation to the need of
ICMP redirects. I'm trying to follow and understand the differences between
"innernet" and "intranat" as you described it.

From the looks of things, it sounds like a static route configured in your
default gateway router pointing to the "innernet," which I assume you mean
that is a separate subnet on your INTRANET (inside private network) may just
do the trick. If the app is on a server on that subnet, and the server is
defined in DNS or WINS with a private IP on that subnet, a static route will
"redirect" (or simply send) the packet to that other router. Have you tried
that?

Ace

On May 22, 9:54*am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
wrote:
> Innews:7394304a-c24f-47c9-af41-(E-Mail Removed),
> Zealot <Zealot0...@gmail.com> typed:
>
>
>
>
>
> > Thanks for your reply.
>
> > I have tested on Windows XP SP2. It doesn't work. But on linux box, it
> > works
>
> > There are 2 gateways in my innernet. One for internet, the other for
> > innernet.
> > I'm using DHCP on the LAN and point default gateway to the internat
> > gateway,
> > and the internet gateway forward the packet to innernet gateway. but
> > there
> > are some application which requires low latency and high bindwidth
> > need to
> > access the service on the other LAN of innernet. It is very hard to
> > install
> > route entry on every mechine in the LAN.
>
> I'm not completely following your explanation in relation to the need of
> ICMP redirects. I'm trying to follow and understand the differences between
> "innernet" and "intranat" as you described it.
>
> From the looks of things, it sounds like a static route configured in your
> default gateway router pointing to the "innernet," which *I assume you mean
> that is a separate subnet on your INTRANET (inside private network) may just
> do the trick. If the app is on a server on that subnet, and the server is
> defined in DNS or WINS with a private IP on that subnet, a static route will
> "redirect" (or simply send) the packet to that other router. Have you tried
> that?
>
> Ace- Hide quoted text -
>
> - Show quoted text -

Yes, I already set up a static routing entry on the default gateway
pointing to the innernet gateway, but it takes an unnecessary hop from
default gateway to innernet gateway. I want the packet go directly to
the innernet gateway or there will be bandwidth and latency problems.
Set up a static routing entry on every machine can solve this problem,
but as I mentioned, a lot of work will be taken to set up a static
routing entry on every machine in the LAN. So I'm considering ICMP
redirect as a simple solution.

"Zealot" <(E-Mail Removed)> wrote in message
news:2f1daac0-621c-420f-8737-(E-Mail Removed)...
On May 22, 9:54 am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
wrote:
> Innews:7394304a-c24f-47c9-af41-(E-Mail Removed),
> Zealot <Zealot0...@gmail.com> typed:
>
>
>
>
>
> > Thanks for your reply.
>
> > I have tested on Windows XP SP2. It doesn't work. But on linux box, it
> > works
>
> > There are 2 gateways in my innernet. One for internet, the other for
> > innernet.
> > I'm using DHCP on the LAN and point default gateway to the internat
> > gateway,
> > and the internet gateway forward the packet to innernet gateway. but
> > there
> > are some application which requires low latency and high bindwidth
> > need to
> > access the service on the other LAN of innernet. It is very hard to
> > install
> > route entry on every mechine in the LAN.
>
> I'm not completely following your explanation in relation to the need of
> ICMP redirects. I'm trying to follow and understand the differences
> between
> "innernet" and "intranat" as you described it.
>
> From the looks of things, it sounds like a static route configured in your
> default gateway router pointing to the "innernet," which I assume you mean
> that is a separate subnet on your INTRANET (inside private network) may
> just
> do the trick. If the app is on a server on that subnet, and the server is
> defined in DNS or WINS with a private IP on that subnet, a static route
> will
> "redirect" (or simply send) the packet to that other router. Have you
> tried
> that?
>
> Ace- Hide quoted text -
>
> - Show quoted text -

>Yes, I already set up a static routing entry on the default gateway
>pointing to the innernet gateway, but it takes an unnecessary hop from
>default gateway to innernet gateway. I want the packet go directly to
>the innernet gateway or there will be bandwidth and latency problems.
>Set up a static routing entry on every machine can solve this problem,
>but as I mentioned, a lot of work will be taken to set up a static
>routing entry on every machine in the LAN. So I'm considering ICMP
>redirect as a simple solution.

Ok. You have the static route in place and the traffic is being
redirected.
You also have ICMPRedirect enabled on the workstation.
Are you saying that the static route is not being added to the
workstation's routing table?

When the router redirects the packet, it will also send an ICMP redirect
message to the workstation. If EnableICMPRedirect is set the route should be
added to the routing table of the workstation, so that next time it needs to
access the intranet subnet it will have a route to access it by the
alternate gateway.

Have you checked the routing table on the workstation soon after a
redirect to see if the route is there? The route is not persistent. It will
disappear after a while if it is not used (about ten minutes, i think).

If you want a persistent route you will need to add it to each
workstation as a persistent static route.

On May 22, 1:57*pm, "Bill Grant" <not.available@online> wrote:
> "Zealot" <Zealot0...@gmail.com> wrote in message
>
> news:2f1daac0-621c-420f-8737-(E-Mail Removed)...
> On May 22, 9:54 am, "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com>
> wrote:
>
>
>
>
>
> > Innews:7394304a-c24f-47c9-af41-(E-Mail Removed),
> > Zealot <Zealot0...@gmail.com> typed:
>
> > > Thanks for your reply.
>
> > > I have tested on Windows XP SP2. It doesn't work. But on linux box, it
> > > works
>
> > > There are 2 gateways in my innernet. One for internet, the other for
> > > innernet.
> > > I'm using DHCP on the LAN and point default gateway to the internat
> > > gateway,
> > > and the internet gateway forward the packet to innernet gateway. but
> > > there
> > > are some application which requires low latency and high bindwidth
> > > need to
> > > access the service on the other LAN of innernet. It is very hard to
> > > install
> > > route entry on every mechine in the LAN.
>
> > I'm not completely following your explanation in relation to the need of
> > ICMP redirects. I'm trying to follow and understand the differences
> > between
> > "innernet" and "intranat" as you described it.
>
> > From the looks of things, it sounds like a static route configured in your
> > default gateway router pointing to the "innernet," which I assume you mean
> > that is a separate subnet on your INTRANET (inside private network) may
> > just
> > do the trick. If the app is on a server on that subnet, and the server is
> > defined in DNS or WINS with a private IP on that subnet, a static route
> > will
> > "redirect" (or simply send) the packet to that other router. Have you
> > tried
> > that?
>
> > Ace- Hide quoted text -
>
> > - Show quoted text -
> >Yes, I already set up a static routing entry on the default gateway
> >pointing to the innernet gateway, but it takes an unnecessary hop from
> >default gateway to innernet gateway. I want the packet go directly to
> >the innernet gateway or there will be bandwidth and latency problems.
> >Set up a static routing entry on every machine can solve this problem,
> >but as I mentioned, a lot of work will be taken to set up a static
> >routing entry on every machine in the LAN. So I'm considering ICMP
> >redirect as a simple solution.
>
> * * Ok. You have the static route in place and the traffic is being
> redirected.
> * * You also have ICMPRedirect enabled on the workstation.
> * * Are you saying that the static route is not being added to the
> workstation's routing * * * * table?
>
> * * When the router redirects the packet, it will also send an ICMP redirect
> message to the workstation. If EnableICMPRedirect is set the route should be
> added to the routing table of the workstation, so that next time it needs to
> access the intranet subnet it will have a route to access it by the
> alternate gateway.
>
> * * Have you checked the routing table on the workstation soon after a
> redirect to see if the route is there? The route is not persistent. It will
> disappear after a while if it is not used (about ten minutes, i think).
>
> * * If you want a persistent route you will need to add it to each
> workstation as a persistent static route.- Hide quoted text -
>
> - Show quoted text -

Using tcpdump, I can figure out that the ICMP packet have send
properly from the gateway to the workstation, but the WinXP
workstation seems ignore it. I checked that there are no routing entry
set up on the workstation. And in the same LAN, when use Debian Linux
workstation, it works properly, as soon as it receive the ICMP
redirect packet, it send packet to innernet gateway directly.

In news:e203305b-0a0b-4ff8-90d8-(E-Mail Removed),
Zealot <(E-Mail Removed)> typed:

> Using tcpdump, I can figure out that the ICMP packet have send
> properly from the gateway to the workstation, but the WinXP
> workstation seems ignore it. I checked that there are no routing entry
> set up on the workstation. And in the same LAN, when use Debian Linux
> workstation, it works properly, as soon as it receive the ICMP
> redirect packet, it send packet to innernet gateway directly.

You can create the static route on all workstations, by creating a batch
file and placing it in your logon script for those users.

Ace