#StackBounty: #linux #firewall #routing ICMP Host Unreachable messages result in martian source packets

Bounty: 50

I’ve been trying to understand a peculiar behavior in our routing/firewall setup for quite some time now, but don’t really understand what’s going on.

We have a firewall/router appliance that has two external facing interfaces and a number of internal VLANs.

The specific behavior is observed when a client (MAC f4:f5:d8:d2:f2:4c, IP in this example) on our guest WiFi network VLAN 99 sends a ping echo request to some internet host, which we prohibit.

The router sends back an ICMP host unreachable packet from its vlan99 interface (MAC 00:08:a2:0d:00:70, IP to the client, and at the exact same time we see a martian packet on the external interface eth-ext1:

tcpdump shows this:

tcpdump -i vlan99 -vvvvn 'icmp and host'
11:59:21.555564 f4:f5:d8:d2:f2:4c > 00:08:a2:0d:00:70, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 2303, seq 1, length 64
11:59:21.555651 00:08:a2:0d:00:70 > f4:f5:d8:d2:f2:4c, ethertype IPv4 (0x0800), length 126: (tos 0xc0, ttl 64, id 8585, offset 0, flags [none], proto ICMP (1), length 112) > ICMP host unreachable, length 92
    (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 2303, seq 1, length 64

Nothing surprising here, this is the original ping from the client and the resulting ICMP packet going back to the guest client informing them that the host is unreachable.

At the same time, an entry appears in the kernel log:

Feb 21 11:59:21 ganymede kernel: IPv4: martian source from, on dev eth-ext1
Feb 21 11:59:21 ganymede kernel: ll header: 00000000: 00 08 a2 0d 00 70 f4 f5 d8 d2 f2 4c 08 00        .....p.....L..

The link layer information shows that this ethernet frame came from the client device to the router’s vlan99 interface, which makes me wonder why it appears as a martian packet on eth-ext1 with a source address of

I have failed so far to get a trace of the packet with the martian source, which leaves me wondering if martian source logging also happens on an egress interface, before tcpdump has a chance to see it?

I’ll gladly provide more information on request (routing tables or the like), and would appreciate any pointers as to what’s going on here.

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.