Asymmetric routing: Custom FW rule vs. Static route filtering
-
Hello,
I hope you are all well.I’d like to ask you about asymmetric routing. On example (image attached) I designed something that I consider standard setup in each larger organization. Network segments that are closer to internet are considered as less secure (front end) and other segments are considered as more secure (back end).
I built following example using pfSense VMs. A few details:
-
Every pfSense has static routes
-
Every pfSense has active FW since in most cases a server cannot start connection to server in more secure network (I consider this as standard approach in network security)
-
To make it work I had to tick checkbox “Static route filtering”: “Bypass firewall rules for traffic on the same interface”
Before I built this setup I didn’t know about “asymmetric routing”. I spent some time learning about it on internet and here on forum and I’d like to ask you a few questions since I wasn’t able to find answers.
-
According information that I found asymmetric routing is considered as something wrong and you should avoid it by changing network design. How can I do that in my example? I consider my example as standard setup in each larger organization and of course when server from more secure network initiate connection to server in less secure network then server in less secure network will send reply to its default gateway which is different router (example of asymmetric routing).
-
On pfSense: Is it more secure to create custom firewall rules on LAN interface that will allow any connection from AND to segment on left side of the router? I’m not network specialist but I believe that any connection that enter AND leave LAN interface should be allowed since firewalling is usually done on WAN interface.
-
Or is it more secure to simply check “Bypass firewall rules for traffic on the same interface”?
Thank you very much,
Lukas
-
-
"I found asymmetric routing is considered as something wrong and you should avoid it by changing network design. "
Normally you remove the issue of asymmetric routing with the use of transit networks to connect routers.
What are you trying to do here?? Why would you put rules on "lan" interfaces? You do know you can turn off nat if that is what you want.
At a loss here to what your trying to accomplish exactly. Yes pfsense can be used as a firewall downstream in a network.. What your trying to show in that drawing? So your connecting pfsense to some switch inline?? So you want to use it as a transparent firewall?
-
Thank you very much johnpoz for you answer and questions.
Normally you remove the issue of asymmetric routing with the use of transit networks to connect routers.
If I understand the term “transit network” then it means to connect all routers into a same network (core switch).
This would work but I believe some corporate networks use setup as I described in diagram because this might be more secure. More secure because those firewall/routers could be for example from different vendors so attacker would have to know vulnerability of each of them to reach servers on left side. Or for example when network admin makes a mistake in FW configuration then only DMZ is affected and servers on the left are not.
What are you trying to do here?? You do know you can turn off nat if that is what you want.
I’m trying to simulate corporate network. Or you may thing about this as multi-tier application. Web servers are on the right, application servers are in the middle and database servers on the left.
NAT is disabled on all pfSenses except the one on the right that connects internet. All pfSenses except the one on the right are router+firewall.
What your trying to show in that drawing? So your connecting pfsense to some switch inline?? So you want to use it as a transparent firewall?
I wouldn’t call it transparent firewall since if I understand correctly transparent firewall has same subnet on all interfaces.
To explain in different way: Each blue switch represents a single subnet with computers. Subnets are separated by brown routers+firewalls. Two routers on the bottom (router 4 and 6) are not relevant to the question. As I mentioned above you can imagine it as multi-tier application but from my experience I know that similar setup is used in some organization.
Why would you put rules on "lan" interfaces?
This is one way how to make it work (second is ticking “Static route filtering” box) since I need FW only in direction LANif-WANif or WANif-LANif. I can create “Pass” rule and specify all subnets on left side of each router.
Thank you.
-
How many routers do you think are in a corp network?? Other than the core switch in a location, only other router is normally the wan router..
I have been in the business for 30+ years, worked for large fortune 500 company for over 16 years and involved in their global network that spanned 23 different countries with huge facilities with 2000+ users each and actual datacenters in different regions of the world.. Nothing like that. Currently work for large telcom company that supports multiple clients.. I am unclear of what your trying to show there. Yes there are routers between locations, but a site normally would only have a core switch if large enough that would do the routing between their segments.
To be honest firewalling between local segments is rarer than you think. Firewall between locations sure.. Yes you would have a dmz/firewalled segment quite often in a location. But the way you have it drawn I am confused at what your trying to accomplish.. But user to user segments.. This is rare to be firewalled actually..
Again I have been in IT for 30+ years and have seen many many a customers of very large setups, and have never seen such a thing..
Again yes you can use pfsense as router/firewall inside a network - but what you have drawn doesn't make any sense.. You can firewall between any segment/vlan that enters pfsense - why would traffic enter and leave the same interface? Only time that would happen is if you were running more than 1 layer 3 on a layer 2 network..
The path of traffic you show makes no sense.. It looks like that server is on a transit network.. That does NOT happen!! The only way to put something on a transit network is with host routing, where the host sitting on the transit knows what gateway to use to get to the different networks that would talk to it.. But again putting any sort of host on a transit network is never done in a corp network.. It is only ever done by someone that doesn't understand routing..
-
Hi johnpoz,
Thank you very much for long explanation.I did some research and I spoke with one networking specialist that works for service provider with some customers that are very concerned about security. And yes – you are totally true. They have maximum two routers/FW for a single customer / environment. The first router/FW could be (doesn’t have to) edge router on internet with public IP and second is a router for all private networks.
They might use FW (doesn’t have to) on a second router to block unknown traffic from subnets with clients to subnets with servers. For example, employees can TCP 445 (SMB – Windows file shares) to file server but they cannot RDP to it.
As I mentioned this is the maximum and they usually have only one router.
So in case of this maximal deployment (two routers and FW rules between private networks) I’d replace all routers except router #1 by a single router with multiple network adapters and each adapter would be connected to a single private subnet. In this case I wouldn’t have an issue with asymmetric routing.
Is such configuration something that is familiar to you?
Thank you,
Lukas -
yes there is always going to be a border/edge router/firewall this brings the wan connection into the location. Then behind that there would be the actual firewall that would do the nat. Quite often there would be IPS between the edge (internet/wan) and the inside firewall. You could then have another firewall, but most likely just a firewalled segment to get into the dmz. Or the dmz might even sit on a segment off the very edge router/firewall.
But internally you don't see router 3, 4, 5 and 6 etc..
But still don't think you grasp what a transit network is.. Even if I had 100 routers all connected together you would not but "hosts" on a network between routers..