uRPF - Need to Permit Asymmetric Flow via GRE/IPSec

jeffh

Hello,

I've seen a number of posts about uRPF, rp_filter, and anti-spoofing protection, but none have any responses that address how to handle observed behavior.

I am working with a pfSense firewall that is being used with GRE and IPsec tunnels to connect to a cloud service provider.

It's up to the customer which they want to use - GRE or IPSec.

The provider uses ICMP probes to perform health checks of the tunnels - the health checks are the same irrespective of whether the tunnel is GRE or IPSec.

The path the health checks take effectively results in a asymmetric route and uRPF/anti-spoofing protection will break the checks.

The path is as follows:

1. They send an ICMP reply probe *** from the inside their cloud
2. The ICMP reply probe is encapsulated (GRE or IPsec) as it enters the tunnel
3. Pfsense receives the probe inside the tunnel which lands on a virtual tunnel interface
4. Pfsense de-encapsulates the probe and forwards the packet to the destination IP - the return path egresses the Internet interface and travels across the commodity Internet on its way back to the cloud provider

Since the ICMP probes ingress a Virtual Tunnel Interface and egress through a physical interface, uRPF/rp_filter does not like this and drops the packet before it even starts making its way back to the cloud provider.

Is there any way to disable uRPF/rp_filter and/or configure a security rule that would allow this?

Thank you for your time,

-JeffH