What are symmetric and asymmetric IP routing

By on 1 Aug 2022

Category: Tech matters

Tags: ,

1 Comment

Blog home

Symmetric and asymmetric IP routing are ideas that I’m familiar with from working on firewalls and networking, but it’s not necessarily common knowledge in the broader community. We can approach what they are from two directions — I’m going to start with how conventional IP routing works.

Asymmetric routing

The traditional/normal way that your IP stack decides where an outgoing IP packet should be sent is based (only) on the destination IP address. If the destination IP is in a directly attached network, your system sends it to the relevant interface. If there’s a specific route that applies to the destination IP, the packet is sent to the gateway the route lists. And if all else fails, the packet is sent to your default route’s gateway (or dropped, if you have no default route).

However, if you have a multi-homed host, a host with multiple interfaces and IP addresses, this approach to routing outgoing traffic can create a situation where outgoing and incoming packets for the same connection (or flow) use different interfaces. For this to happen, you normally need at least two of your networks to be routable, which is to say that hosts not on those networks can reach them and hosts on those networks can reach other networks.

To use an example, let’s say you have a host with two interfaces and IP addresses on each, with on and on Your default route is and you have no other special routes. Two situations will create a difference between incoming and outgoing packets. First, if any host not on pings your IP address, your replies will use your default route and go out your network interface (despite coming from Second, if a host on pings your IP address, your replies will go directly out of your interface despite coming from

Both of these situations are examples of asymmetric routing, where packets in one direction take a different path through the network than packets in the other direction.

In a completely reliable network with no special features, asymmetric routing is things working as intended, with IP packets taking what your system believes is the most efficient available path to their destinations. However, in a network with firewalls and faults along some paths, asymmetric routing can cause artificial connectivity failures (or hide them). It’s especially a problem with stateful firewalls because such a firewall will be seeing only one-half of the conversation and will normally block it.

Symmetric routing

In symmetric routing, we arrange (somehow) for packets to take the same path in both directions in all of these situations. If you’re pinged at, your replies always go out on even if they’re from a host in If you’re pinged at by some random IP, your replies always go out on even if your normal default route is through (you’ll need a second default route for to make this work).

This also extends to traffic that your host originates. If you ping a host in with the source IP of, your pings should go to’s default gateway of, not directly out your interface. If your ‘source IP’ pings did go out of your interface, the ICMP replies from the innocent host would take a different return path and create asymmetric routing.

There are a variety of ways to create a situation with symmetric routing. One approach is to create separate network worlds, each with only one (routed) network interface and to confine packets (and connections) to their appropriate world. Another approach is policy-based routing, which is the broad idea of using more than just the destination IP to decide on packet routing. To do symmetric routing through policy-based routing, you make routing choices depending on the source IP as well as the destination IP.

(Policy-based routing is potentially much more general than mere symmetric routing, and I believe that it originates from the world of routers, not hosts. Sophisticated routing environments may have various complex rules, such as ‘traffic from these networks can only use these links’. Symmetric routing itself is mostly a host issue.)

I hope this gives you a basic understanding of what symmetric and asymmetric routing are.

Adapted from original post which appeared on Wandering Thoughts.

Chris Siebenmann is a Unix herder. He also writes too much Python, much of it not as good quality as it should be.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *