Looking for recomendations for dealing with asymmetric traffic

  • We are running multi WAN configuration with 4 up-links and 5-6 local subnets half of them are IPv6 only. We use BGP for external routing and asymmetric routing is a norm.

    However, asymmetric routing is challenging to run through firewall and my configuration is a mess with lots of duplicate rules and redundant states. I'm replacing ScreenOS firewall with pfSense and it is easy to do with Juniper but I cannot get my head around of pfSense firewall logic. Here is what I've done so far:

    • segregate IPv4 and IPv6 rules

    • clearly separate rules for egress and ingress traffic

    this creates 4 groups of rules for each interface, interface group and applies to floating rules too.

    • I rely on floating rules for maintaining egress states

    • I rely on LAN interface rules for maintaining ingress states

    • I use interface groups to control ingress access but they also create states that are not really useful for anything but just duplicates and I'm thinking of disabling states on interface group rules but had no chance to explore. I also saw somewhere in the documentation mentioning that interface group rules are somehow deficient and not always create states as one would expect, so it is another reason for this.

    The configuration works but I haven't been able to fully test it to be certain. It is also fragile because if I ever need to change a rule it will need to be modified in several places and it is easy to make a mistake (at this point I miss ScreenOS's zones direly but there is no going back).

    Now, I have this feeling/hope that I'm just doing it wrong and there is a better way but I couldn't find any guides or recommendations on how to deal with asymmetric routing. Could someone point me in the right direction? Any examples of working configurations or a practical advice how to keep rule-set simple are appreciated.


    P.S. I'm keeping one last resort option open so far - that is to add a dedicated router in front of pfSense and offload routing to it but at this point I will probably be reconsidering the entire solution.

Log in to reply