Asymmetric Routing packets dropped

General questions
1

I’m running a small IPv6 network using VyOS with BGP multihoming, and I’m stuck with an asymmetric routing issue that I can’t get working.

multihome-setup
multihome-setup362×421 13 KB

Topology (logical)

  • AS65000: my own AS

    • Two edge routers at different locations

      • edge-A

      • edge-B

  • AS65003: upstream connected to edge-A

  • AS65002: upstream connected to edge-B

  • A WireGuard mesh interconnects (iBGP):

    • edge-A

    • edge-B

  • AS65001: Multiple Locations with Wirguard (iBGP)

I announce the same IPv6 /48 PI prefix from both edge routers to different upstreams for redundancy/backup and I’m currently not prioritizing via communities or local-preferences specific edge routers.

Routing behavior

  • Traffic from my PC exits via edge-A

  • Some return traffic from the Internet enters via edge-B

  • These return packets:

    • arrive on edge-B’s external interface

    • but are not forwarded back over WireGuard (AS65001) to the PC

    • no packets are seen on the WireGuard interface for those flows and also not on the edge-B external interface (but I know it must arrive, because I can trigger from the remote side the same request and then it’s arriving/working)

What I’ve tried

  • Disabled source-validation (loose and disable)

  • Disabled firewall zones and forward rules

  • Tested conntrack ignore / notrack in raw/prerouting

  • Traced packets with tcpdump

Observations:

  • The same hosts are reachable when the remote side initiates traffic

  • Failures only happen for asymmetric return paths

  • Even with firewalling disabled, forwarding still seems blocked

I’m pretty sure it’s related to asymmetric routing, but I don’t know how I can fix this.

Because when I’m not announcing via eBGP from one location, all my packets are arriving correctly again.

2

This sounds like might be a problem with Wireguard’s “allowed-ips” setting.

3

My network is similar, but IPv4 only, and using OSPF internally.

When setting it up (quite a few years ago), I encountered asymmetric routing, the cause of which turned out to be conntrack blocking unexpected returning (ie asymmetric) traffic. The solution at the time (if I recall correctly) was to ensure that no firewall rules processed any traffic flow state.

Not sure if it may be relevant Checking on one of my routers (running 1.4.3) “show conntrack table ipv4” returns “Entries not found”.

Have you tried with no firewall rules whatsoever on the routers in AS65000?

4

Thanks for the suggestions. The WireGuard tunnel doesn’t seem to be the issue, as it’s configured to allow all IPs (0.0.0.0/0, ::/0).

I’ve tested again to be absolutely sure that connection tracking on my side isn’t the problem by completely disabling the firewall and clearing the conntrack table. However, the issue still persists.

I’m currently in contact with my upstream AS, as I suspect they may also be performing some form of connection tracking, which could explain why I don’t see any packets at all.

5

I feel obliged to link this post as I’ve seen many people who are doing 0.0.0.0/0 in their Wireguard config not fully understand what it’s doing and hit issues. Probably not relevant but just in case.

1 Like