Routing in / out the same interface



  • Hello,
    I have a simple question:

    will pfsense always route replys out of the same interface they came in, even when there is another (maybe better) route to the target available?

    I think yes, but I cant find information on this.

    Thanks



  • Yes, unless you want to deal with random packet drops due to asynchronous routing. Remember pfSense is a stateful firewall.



  • @l4k3k3m4n:

    Hello,
    I have a simple question:

    will pfsense always route replys out of the same interface they came in, even when there is another (maybe better) route to the target available?

    I think yes, but I cant find information on this.

    Thanks

    pfSense will use the best route to send the traffic to.
    You must make sure that your configuration doesn't create asymmetric traffic, as moikerz pointed out, pfSense is a stateful firewall, and will drop out of state traffic.



  • The answers confuse me a bit.
    Ok I will give an example.

    I have 2 WAN connections.
    WAN1 is a permalink with a /29 public subnet.
    WAN2 is a fast cable connection whith 1 public IP assigned by DHCP in a /21 subnet.

    All my services (like VPN, Webservers, RemoteDesktop) are published on WAN1 IP adresses.

    So when pfsense gets a connection on WAN1 (to the published services), it is possible that this connection is initiated by an IP addresss in the range of the WAN2 subnet (because the ISP is assigning this range to customers in this region).

    So if pfsense follows the routing table, the reply should go out WAN2 because it is directly connected (that would be asynchronous routing)
    But of course I do not want that to happen.

    So the question is, what is pfsense behaviour by default.
    I think it will always reply on the same interface and ignore the routing table.
    Right? Thanks.


  • LAYER 8 Netgate

    reply-to
        The reply-to option is similar to route-to, but routes packets that pass in the opposite direction (replies) to the specified interface. Opposite direction is only defined in the context of a state entry, and reply-to is useful only in rules that create state. It can be used on systems with multiple external connections to route all outgoing packets of a connection through the interface the incoming connection arrived through (symmetric routing enforcement).

    Pretty sure pfSense makes sure that's the case where possible.


Log in to reply