(SOLVED) Make CENTOS reply through the exact same eth regardless of local ips

Question

SOLVED: check the end of the post

Network diagram: https://i.imgur.com/5mc2woO.jpg

This is called asymmetrical routing. I do not want it. It happens because despite the request arriving at eth0 as intended, Centos recognizes that the client source IP also belongs to one of the servers local subnets, and proceeds to reply to the client using that local subnet which belongs to eth1. The reply communication is made locally (switch), bypassing PFsense, which then proceeds to terminate the connection after 30 seconds because it never saw the server replying.

In PFsense there is an option to bypass all traffic belonging to the same subnet, and in Centos there are options to mitigate part of this issue. net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.arp_announce = 1

With all these options activated in both Pfsense and centos, the timeouts were increased from 30 to ~800 seconds, but they still happen like clockwork.

I have read I should be able to flag every packet arriving @ eth0 and make a policy to always always always reply the flagged packets using eth0.

PS: the reason the server has both subnets (192.168.0.x and 10.10.10.x) is because both client and server are on separate vlans and the server serves two purposes. 1- SMB share which should always be accessed via eth0 @ vlan 1680 for fire-walling purposes. 2- FTP for the clients disk clones/backups, very resource heavy traffic which should always be accessed via eth1 @ vlan 1010 in order to bypass the pfsense router as to not overload it (I have many client PCs doing backups at the same time).

I would greatly appreciate some input on the best course of action.

Answer 1

SOLUTION:

I solved my issue using both ip route and ip rule. ip route is used to create a new route, ip rule is used to tell linux when to use the new route.

1 - Create a new routing table that will be only used to solve this routing issue: echo 101 myroute>> /etc/iproute2/rt_tables

2 - Populate myroute with instructions to reply all traffic to the IP address of your Pfsense box: ip route add default via 192.168.0.4 table 101

The routing table myroute on its own wont affect anything yet. I needs a policy rule to activate it. Once activated, it will work alongside your standard routing table which will be unaltered.

3 - Add the rule: ip rule add from 192.168.0.78 table myroute

4 - flush routing table to reload settings: ip route flush cache

Please notice that while doing this, all traffic sent to the server ip 192.168.0.78 via the local subnet (switch) will be replied via the 192.168.0.4 gateway, and thus local connections will fail.

In order to understand why your new table supersedes the default routing table, you should read this great link dedicated to this issue.

https://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/