Linux by default (regardless of firewall rules) will not accept a packet on an interface when the source of that packet "should" be on another interface according to the current route table (in other words, you're doing asymetric routing).
Easy fix: # Controls source route verification net.ipv4.conf.default.rp_filter = 0 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 1 -----Original message----- From:Anurag Bhatia <m...@anuragbhatia.com> Sent:Wed 06-12-2019 04:45 pm Subject:Issue with point to point VPNs behind NAT and asymmetric traffic To:NANOG Mailing List <nanog@nanog.org>; Hello everyone, Trying to get my head around a certain unexpected behaviour. I am running two site to site VPNs (wireguard now, OpenVPN earlier) between my home and a remote server over two different WAN links. Both WAN links are just consumer connections - one with public IP and one with CGNATed IP. The redundancy here is taken care of by the OSPF running via FRR on both ends. The unexpected behaviour I get is that if I set OSPF cost to prefer say link1 between home -> server and prefer link 2 between server -> home then connectivity completely breaks between the routed pools. The point to point IPs stay reachable (which is over expected links i.e symmetric via both ends). As long as both ends prefer link1 or link2, it works fine. At first, I thought it had to do something with NAT but still can't understand how. Since VPN tunnels have a keep-alive timer (for 10 seconds), the tunnel is always up. Any idea why asymmetric packets are being dropped here? This exact behaviour was in case of earlier OpenVPN + bird + iBGP and is still the same when I moved everything to Wireguard for VPN + FRR for routing + OSPF. Thanks. -- Anurag Bhatia anuragbhatia.com <http://anuragbhatia.com>
