Multihoming and connection tracking

AVA · January 31, 2019, 1:13pm

Hi,

I want to build up a system as follows:

The two CCRs have BGP connections to the uplink provider (2 ports, 1 ASN) and they exchange routes with the PPPoE servers via OSPF. The second uplink port exists for redundancy purpose, not to gain more bandwith. So in normal operation mode the customer traffic should run through the first BGP router. My question is, what can happen if I have asymmetric traffic flow? For example a customer establishes a TCP connection and sends his syn packet through BGP router 1 but the ack package arrives through BGP router 2? Normaly I would setup firewall rules which allow incoming packets only if they are related to a connection which is established from the inside, hence BGP router 2 would drop the ack packet. So, how can I keep reliable connection tracking with more than one possible paths?
Of course I’ll try to force the traffic to run through router 1 but I can’t force a host in the internet to use the first path as long its available. Although I guess that if I use AS prepend for the second router and both BGP peers have the same partner AS, there should be no reason for a host to use the second path…
Please let me know your opinions!

Michael

pe1chl · January 31, 2019, 1:25pm

My opinion is that you should not use connection-tracking firewall rules in a network like that.

sri2007 · January 31, 2019, 8:56pm

Hi I currently have that network running successfully without issues related to asymmetric traffic flow. And totally I recommend you to disable connection tracking it will totally improve your router behavior, just be careful if you’re using NAT or any firewall rule related to tracking (like matching tcp state connections).

mrz · February 1, 2019, 8:03am

It is recommended not to use any connection tracking related feature. Also avoid setting complicated firewall for forwarded traffic.

AVA · February 3, 2019, 8:44pm

Ok thank you all for your tips. I need a few tracking features to protect the litte ip subnet that we use for our own servers etc. So would it be enough (especially concerning CPU load) to set firewall raw rules which disable tracking for the customers ip space?

p3rad0x · February 11, 2019, 1:49pm

It should work yes.

But I will add a third router for just the internal servers and NAT on it so the edge routers only does routing.