Network Guys

Share your knowledge!

The problems with asymmetric routing

Happy Saturday to all of you!

I made some thoughts about the topic asymmetric routing. When I make network audits to new customers I often see multiple gateways in a single subnet (for example for site2site VPNs). They tell me about some weird problems with some intercommunications between those subnets. To better understand the wrong topology I made a drawing in Microsoft Visio for you:



On the left side we have a server with IP address using the default gateway When the server wants to communicate to the branch office server, the send packets have the destination mac address of and the destination IP address Once packets are coming in to the router, a route will let him change the destination mac address to that one for (the gateway where subnet /24 is located via VPN). The problem is that the packets are send out of the same network where they are coming. Packets which will be answered by are not going the same way back because the second router sends the packets to which is directly attached to network /24. So the server is getting answered packets from a mac address which he doesn’t send to. This is a problem with many protocols like secured connections (HTTPS tcp 443, LDAP SSL tcp 636, LDAP GC SSL tcp 326, etc.) because those systems and also local firewalls recognized those grievances as something like a man-in-the-middle attack like ARP spoofing. Past weeks ago, a customer had problems with running a synchronized domain-membership with this topology. My colleague Frank documented this here.

To solve this problem you have two options. Option #1 is the fastest (and maybe cheapest) way. Just add a permanent route (blue letters) to the server which has more than one gateway on its subnet:


Because you have more than only one server :) or devices which can’t have routes added (like printers) there is a way better method for this which I recommend. Put a small subnet between the main gateway and the VPN gateway with a subnetmask (two usable hosts) and configure static routes on this gateways like this:


When your main-gateway has an additional and free interface it also doesn’t cost additional money :-)

Feel free to comment and suggest additional ideas!


10 Responses

  1. Hello,

    Thank you for a good article.

    I have some problems in implementing what I have read. I cannot have Internet access from
    Can you please tell me if router from your diagram has to be one with two WAN ports ( RV042G for example ) or it will work only with one WAN.

    Thank you

    1. I think I didn’t understand your requirement. What do you want exactly? You just need an additional interface and so you can do routing between it. It doesn’t need to be a “WAN” interface or so

      1. Hello Michel,

        The main router in a RV042G ( connected to Internet ). I need to create a VPN connection to a second site ( connected directly by fiber, not over the Internet ). I had began with the first version. VPN is working well but I cannot have Internet acces from second site. Then I have tried the third solution. I had the same results. All routers are RV042G.
        – Computer from both sites can see each other.
        – Computers from site 1 have Internet access
        – Computer from site 2 cannot acces Internet ( ping to google by name or by IP it’s not working)

        Thank you

        1. Hi Nimca,

          every hop (router) needs to have the default route. So if we look at the third picture: needs to configure default-route pointed to, needs a default route to

          From the second site: Do a “tracert” where did the traceroute end?

  2. Thanks for the great article. In the second diagram, shouldn’t the ip on the vpn gateway be deleted? That device will only have a address and a vpn address right?

Leave a Reply

Click on the button to load the content from

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.


ekahau Certified Survey Engineer
Post Categories
Post Archives