Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Looking for recomendations for dealing with asymmetric traffic

    Scheduled Pinned Locked Moved Routing and Multi WAN
    1 Posts 1 Posters 442 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dtoubelis
      last edited by

      We are running multi WAN configuration with 4 up-links and 5-6 local subnets half of them are IPv6 only. We use BGP for external routing and asymmetric routing is a norm.

      However, asymmetric routing is challenging to run through firewall and my configuration is a mess with lots of duplicate rules and redundant states. I'm replacing ScreenOS firewall with pfSense and it is easy to do with Juniper but I cannot get my head around of pfSense firewall logic. Here is what I've done so far:

      • segregate IPv4 and IPv6 rules

      • clearly separate rules for egress and ingress traffic

      this creates 4 groups of rules for each interface, interface group and applies to floating rules too.

      • I rely on floating rules for maintaining egress states

      • I rely on LAN interface rules for maintaining ingress states

      • I use interface groups to control ingress access but they also create states that are not really useful for anything but just duplicates and I'm thinking of disabling states on interface group rules but had no chance to explore. I also saw somewhere in the documentation mentioning that interface group rules are somehow deficient and not always create states as one would expect, so it is another reason for this.

      The configuration works but I haven't been able to fully test it to be certain. It is also fragile because if I ever need to change a rule it will need to be modified in several places and it is easy to make a mistake (at this point I miss ScreenOS's zones direly but there is no going back).

      Now, I have this feeling/hope that I'm just doing it wrong and there is a better way but I couldn't find any guides or recommendations on how to deal with asymmetric routing. Could someone point me in the right direction? Any examples of working configurations or a practical advice how to keep rule-set simple are appreciated.

      Thanks.

      P.S. I'm keeping one last resort option open so far - that is to add a dedicated router in front of pfSense and offload routing to it but at this point I will probably be reconsidering the entire solution.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.