Happy Saturday to all of you!
I made some thoughts about the topic asymmetric routing. When I make network audits to new customers I often see multiple gateways in a single subnet (for example for site2site VPNs). They tell me about some weird problems with some intercommunications between those subnets. To better understand the wrong topology I made a drawing in Microsoft Visio for you:
On the left side we have a server with IP address 192.168.1.23 using the default gateway 192.168.1.1. When the server wants to communicate to the branch office server 192.168.2.78, the send packets have the destination mac address of 192.168.1.1 and the destination IP address 192.168.2.78. Once packets are coming in to the router 192.168.1.1, a route will let him change the destination mac address to that one for 192.168.1.8 (the gateway where subnet 192.168.2.0 /24 is located via VPN). The problem is that the packets are send out of the same network where they are coming. Packets which will be answered by 192.168.2.78 are not going the same way back because the second router 192.168.1.8 sends the packets to 192.168.1.23 which is directly attached to network 192.168.1.0 /24. So the server 192.168.1.23 is getting answered packets from a mac address which he doesn’t send to. This is a problem with many protocols like secured connections (HTTPS tcp 443, LDAP SSL tcp 636, LDAP GC SSL tcp 326, etc.) because those systems and also local firewalls recognized those grievances as something like a man-in-the-middle attack like ARP spoofing. Past weeks ago, a customer had problems with running a synchronized domain-membership with this topology. My colleague Frank documented this here.
To solve this problem you have two options. Option #1 is the fastest (and maybe cheapest) way. Just add a permanent route (blue letters) to the server which has more than one gateway on its subnet:
Because you have more than only one server :) or devices which can’t have routes added (like printers) there is a way better method for this which I recommend. Put a small subnet between the main gateway and the VPN gateway with a subnetmask 255.255.255.252 (two usable hosts) and configure static routes on this gateways like this:
When your main-gateway has an additional and free interface it also doesn’t cost additional money :-)
Feel free to comment and suggest additional ideas!