Problem with Forcing Asymmetric Traffic Through Specific Gateway

philippe richard · Apr 14, 2025, 11:58 AM

Hello everyone,

I need your help because I'm lost. I need to pass asymmetric requests, but I'm failing every time.

Let me explain: server 10.30.0.20 sends requests on port 445 to server 10.15.55.10. The request arrives through the gateway between the EdgeRouter and Netgate 1, and then goes to server 10.15.55.10. This works, I can see the requests arriving.

The problem is that I have a static route 10.30.0.0/24 that goes to another gateway in another Netgate, and I cannot delete this static route. Therefore, the response requests do not leave the TEST interface where server 10.15.55.10 is located.

In summary, I have a rule on the Netgate interface that connects it to the EdgeRouter that I have set to "sloppy", and another rule on the TEST interface with source 10.15.55.10:445 to 10.30.0.20 with the gateway between the Netgate and the EdgeRouter to force the request to go through this path, but nothing works.

I hope I have been clear enough and that someone can help me. Thank you.!

viragomann · Apr 14, 2025, 12:18 PM

@philippe-richard said in Problem with Forcing Asymmetric Traffic Through Specific Gateway:

The problem is that I have a static route 10.30.0.0/24 that goes to another gateway in another Netgate, and I cannot delete this static route. Therefore, the response requests do not leave the TEST interface where server 10.15.55.10 is located.

If you don't need to static route for 10.30.0.20, what I don't assume, I'd just rather create an additional static route for this single IP to override the subnet route then messing with sloppy states rules.

philippe richard · Apr 14, 2025, 1:08 PM

@viragomann said in Problem with Forcing Asymmetric Traffic Through Specific Gateway:

10.30.0.20

Hello Viragomman, I hope you are doing well. To answer your question, I cannot create a static route to that single address because other computers need to connect to 10.30.0.20 through this default route. That's why I'm trying to create a policy-based rule, but I'm not succeeding.

viragomann · Apr 14, 2025, 1:08 PM

@philippe-richard
So as I got you, on Netgate 1 you have a static route for 10.30.0.0/24 pointint to Netgate 2, but 10.30.0.20 is behind the edge router? WTF! Why?

Then you have a routing issue, which cannot be solved with sloppy state rules at all. Yeah, as its best, with a sloppy state policy routing rule on the TEST interface, directing traffic to the edge router.

But I'd rather masquerade the traffic from 10.30.0.20 on the edge router, which seems more reliable to me.

philippe richard · Apr 14, 2025, 1:53 PM

@viragomann
It's complicated because it's a migration, and some things cannot be changed at the moment.
As English is not my native language, I sometimes have difficulty understanding.
What do you mean by creating a 'sloppy' rule on the TEST interface, or doing a NAT?

viragomann · Apr 14, 2025, 2:33 PM

@philippe-richard
I'd favor the masquerading solution, but the natting must be done on the edge router. How to do this, depends on the device. Presumably it's not Netgate?

On pfSense you can do this with an outbound NAT rule.

philippe richard · Apr 17, 2025, 11:17 AM

@viragomann
Hello,

Thank you for your help. I changed the default routing to create an additional static route for this unique IP, in order to replace the subnet route. And for accesses that require it, I create policy-based rules.

Have a very good day.