I have a couple router/firewall boxes (pfSense, TMG 2010, ISA 2006) on my network that are stateful. Right now they all have an interface on the same subnet as most end user devices and servers. I will be making some changes and putting some servers on their own subnets behind these firewalls so I'm wondering if I should set up one dedicated subnet for the routers to route packets to each other through. There are no routing protocols, only static routes.
I'm trying to avoid asynchronous routing which can be a problem for stateful firewalls since traffic flows in a different path into and out of the network. If traffic flows back through a different path and the firewall in that path does not have a record in the state table then the traffic could get blocked.
My basic question is this: is this an ideal way to approach this problem? Why or why not? I have not been able to find much in terms of best practices but this approach would leave only one router on each subnet so I would avoid the current situation of different machines having different default gateways.
Current
Router 1 Router 2 Router 3
192.168.1.1/24 ------ 192.168.1.2/24 ------ 192.168.1.3/24 ------ All other devices
| | |
V V V
10.10.10.1/24 10.20.20.1/24 10.30.30.1/24
Proposed
Router 1 Router 2 Router 3
192.168.1.1/24 ------ All other devices
10.200.200.1/24 ----- 10.200.200.2/24 ----- 10.200.200.3/24 ------ Routers/Firewalls only
| | |
V V V
10.10.10.1/24 10.20.20.1/24 10.30.30.1/24