As part of my hands-on learning in network security, I’ve been building out a segmented virtual environment. Think firewalls, VLANs, and virtual machines — all designed around real-world architecture and best practices. It’s my personal training ground, and every mistake turns into a lesson.
Recently, one of my apps — a self-hosted collaboration platform — went dark for some users on the network. From others? It worked just fine.
It wasn’t the firewall. It wasn’t the app. Traffic made it in — responses got lost — a ghost in the shell. Digging deeper led me straight into the dark arts of routing tables.
The Setup (Simplified)
The app runs inside a virtual machine (VM) with two network interfaces, each assigned to a different isolated network segment:
- One for general user access
- One for administrative access
Each segment is on its own virtual LAN (VLAN), managed with strong segmentation policies. Users connect from one network, while system administration tools connect from another — as per defense-in-depth strategy.
The Issue: One-Sided Ghosting
Users on the general access network couldn’t connect. But admin access worked perfectly.
I verified that traffic was reaching the VM — packet captures confirmed that the requests made it to the app. But the responses? They were never making it back to the clients.
“Routing symmetry isn’t just ideal — it’s required when security tools start looking both ways.”
Root Cause: Asymmetric Routing
The VM was replying to requests — but instead of sending the responses back through the same interface they came in on, it was using the default route through the admin interface.
That’s known as asymmetric routing: inbound on one path, outbound on another.
In secure networks, especially with reverse path filtering (RPF) or source address validation enabled, this mismatch often causes return traffic to be dropped — exactly what happened.
“Routing symmetry isn’t just ideal — it’s required when security tools start looking both ways.”
The Fix: Policy-Based Routing (PBR)
Rather than relaxing security settings or disabling reverse path filters, I applied Policy-Based Routing at the VM’s operating system level, leveraging Linux’s native tools.
Using Linux’s ip rule and ip route commands, I mapped traffic flows to custom routing tables based on source IP ranges. This ensured replies went back out the correct NIC corresponding to the interface where the traffic arrived.
Typical Steps Taken (Conceptual, Sanitized) — Example Using vlanA and vlanB
- Create custom routing tables
Edit /etc/iproute2/rt_tables and add entries for each VLAN/interface:
echo "100 vlanA" | sudo tee -a /etc/iproute2/rt_tables echo "200 vlanB" | sudo tee -a /etc/iproute2/rt_tables
- Add routes for each interface’s subnet
Assuming:
eth0connected tovlanAsubnet10.0.10.0/24with gateway10.0.10.1and IP10.0.10.5eth1connected tovlanBsubnet10.0.20.0/24with gateway10.0.20.1and IP10.0.20.5
Run:
sudo ip route add 10.0.10.0/24 dev eth0 src 10.0.10.5 table vlanA sudo ip route add default via 10.0.10.1 dev eth0 table vlanA sudo ip route add 10.0.20.0/24 dev eth1 src 10.0.20.5 table vlanB sudo ip route add default via 10.0.20.1 dev eth1 table vlanB
- Bind routing rules to source IP addresses
sudo ip rule add from 10.0.10.5/32 table vlanA sudo ip rule add from 10.0.20.5/32 table vlanB
- Verify your configuration (optional)
ip rule show ip route show table vlanA ip route show table vlanB
Explanation
- This setup tells the Linux kernel to route any reply traffic originating from
10.0.10.5(vlanA) out through thevlanArouting table, and similarly forvlanB. - It ensures reply packets exit through the same interface they arrived on, maintaining symmetric routing and passing firewall validations.
5 Reasons Policy-Based Routing Is Essential for Multi-NIC VMs
- Prevents Asymmetric Routing: Replies exit the same interface they entered, avoiding dropped packets from security devices.
- Preserves Network Security: Maintains reverse path filtering and source validation protections without compromise.
- Enforces Network Segmentation: Keeps VLAN traffic isolated and secure.
- Simplifies Troubleshooting: Clear, deterministic routing paths reduce ambiguity and speed up debugging.
- Aligns with CISSP Best Practices: Supports defense in depth, least privilege, and segregation of duties.
A Nod to Complexity and Future Scalability
Policy-Based Routing solves this problem well but adds complexity — especially as IP ranges or interfaces evolve. In larger environments, dynamic routing protocols like OSPF with route tagging might offer more scalable solutions.
Thinking ahead about maintainability and growth helps future-proof your setup — something CISSP pros and network engineers alike appreciate.
Why This Matters (And Follows CISSP Best Practices)
Even in a home lab, applying enterprise security principles matters. Here’s how this fix aligns with CISSP-aligned standards:
| Principle | Applied Through |
|---|---|
| Defense in Depth | VLANs and firewall rules layered with routing policy controls |
| Least Privilege | Network segmentation ensures users only reach intended services |
| Secure Defaults | Reverse path filtering left enabled — not bypassed for convenience |
| Deterministic Routing | Clear traffic paths simplify troubleshooting and reduce ambiguity |
| Segregation of Duties | Admin and user traffic isolated at both the network and routing policy levels |
| Minimal Disclosure | No VLAN IDs, IP ranges, or topological details are shared externally |
Real-World Takeaway
This was a perfect hands-on example of how multi-interface VMs in segmented environments can silently break without proper routing logic — and why relying on default Linux routing behavior is risky.
I didn’t just get the app working — I reinforced secure architecture without compromising core protections.
TL;DR
If a virtual machine with multiple NICs starts ghosting certain clients while working fine for others, check for asymmetric routing.
Fix it the right way — with policy-based routing — and keep your network secure without disabling safety features.
Leave a Reply