Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing in / out the same interface

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      l4k3k3m4n
      last edited by

      Hello,
      I have a simple question:

      will pfsense always route replys out of the same interface they came in, even when there is another (maybe better) route to the target available?

      I think yes, but I cant find information on this.

      Thanks

      1 Reply Last reply Reply Quote 0
      • M Offline
        moikerz
        last edited by

        Yes, unless you want to deal with random packet drops due to asynchronous routing. Remember pfSense is a stateful firewall.

        1 Reply Last reply Reply Quote 0
        • awebsterA Offline
          awebster
          last edited by

          @l4k3k3m4n:

          Hello,
          I have a simple question:

          will pfsense always route replys out of the same interface they came in, even when there is another (maybe better) route to the target available?

          I think yes, but I cant find information on this.

          Thanks

          pfSense will use the best route to send the traffic to.
          You must make sure that your configuration doesn't create asymmetric traffic, as moikerz pointed out, pfSense is a stateful firewall, and will drop out of state traffic.

          –A.

          1 Reply Last reply Reply Quote 0
          • L Offline
            l4k3k3m4n
            last edited by

            The answers confuse me a bit.
            Ok I will give an example.

            I have 2 WAN connections.
            WAN1 is a permalink with a /29 public subnet.
            WAN2 is a fast cable connection whith 1 public IP assigned by DHCP in a /21 subnet.

            All my services (like VPN, Webservers, RemoteDesktop) are published on WAN1 IP adresses.

            So when pfsense gets a connection on WAN1 (to the published services), it is possible that this connection is initiated by an IP addresss in the range of the WAN2 subnet (because the ISP is assigning this range to customers in this region).

            So if pfsense follows the routing table, the reply should go out WAN2 because it is directly connected (that would be asynchronous routing)
            But of course I do not want that to happen.

            So the question is, what is pfsense behaviour by default.
            I think it will always reply on the same interface and ignore the routing table.
            Right? Thanks.

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              reply-to
                  The reply-to option is similar to route-to, but routes packets that pass in the opposite direction (replies) to the specified interface. Opposite direction is only defined in the context of a state entry, and reply-to is useful only in rules that create state. It can be used on systems with multiple external connections to route all outgoing packets of a connection through the interface the incoming connection arrived through (symmetric routing enforcement).

              Pretty sure pfSense makes sure that's the case where possible.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.