What symmetric and asymmetric IP routing are

June 28, 2022

In a recent entry I talked somewhat informally about symmetric (IP) routing. Symmetric and asymmetric IP routing are ideas that I'm familiar with from working on firewalls and networking, but it's not necessarily common knowledge in the broader community. We can approach what they are from two directions, so I'm going to start from how conventional IP routing works.

The traditional and normal way that your IP stack decides where an outgoing IP packet should be sent is based (only) on the destination IP address. If the destination IP is in a directly attached network, your system sends it out the relevant interface. If there's a specific route that applies to the destination IP, the packet is sent to the gateway the route lists. And if all else fails, the packet is sent to your default route's gateway (or dropped, if you have no default route).

However, if you have a multi-homed host, a host with multiple interfaces and IP addresses, this approach to routing outgoing traffic can create a situation where outgoing and incoming packets for the same connection (or flow) use different interfaces. To have this happen you normally need at least two of your networks to be routable, which is to say that hosts not on those networks can reach them and hosts on those networks can reach other networks.

To make this concrete, say you have a host with two interfaces and IP addresses on each, with on and on Your default route is to and you have no other special routes. There are two situations that will create a difference between incoming and outgoing packets. First, if any host not on pings your IP address, your replies will use your default route and go out your network interface (despite coming from Second, if a host on pings your IP address, your replies will go directly out your interface despite coming from

Both of these situations are asymmetric routing, where packets in one direction take a different path through the network than packets in the other direction. In a completely reliable network with no special features, asymmetric routing is things working as intended, with IP packets taking what your system believes is the most efficient available path to their destinations. However, in a network that may be having faults along some paths and that has firewalls, asymmetric routing can cause artificial connectivity failures (or hide them). It's especially a problem with stateful firewalls, because such a firewall will be seeing only one half of the conversation and will normally block it.

In symmetric routing, we arrange (somehow) for packets to take the same path in both directions in all of these situations. If you're pinged at, your replies always go out on even if they're from a host in; if you're pinged at by some random IP, your replies always go out on even if your normal default route is through (you'll need a second default route for to make this work). This also extends to traffic that your host originates. If you ping a host in with the source IP of, your pings should go to's default gateway of, not directly out your interface. If your 'source IP' pings did go out your interface, the ICMP replies from the innocent host would take a different return path and create asymmetric routing.

There are a variety of ways to create a situation with symmetric routing. One general approach is to create separate network worlds, each with only one (routed) network interface in it, and to confine packets (and connections) to their appropriate world. Another general approach goes by the name of policy based routing, which is the broad idea of using more than just the destination IP to decide on packet routing. To do symmetric routing through policy based routing, you make routing choices depend on the source IP as well as the destination IP.

(Policy based routing is potentially much more general than mere symmetric routing, and I believe that it originates from the world of routers, not hosts. Sophisticated routing environments may have various complex rules, such as 'traffic from these networks can only use these links'. Symmetric routing itself is mostly a host issue.)

Written on 28 June 2022.
« Wishing for a simple way to set up multi-interface symmetric routing on Linux
Notes on the Linux kernel's 'pressure stall information' and its meanings »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Jun 28 22:11:43 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.