Routes are used to configure routing between network segments and to redirect traffic to different providers.
Route can direct traffic through defined gateway, network interface or provider. Routing through interface is usually used for various tunnel connections. Routing through gateway is used for routing in common Ethernet networks.
In the case when source (user) and gateway are located in one subnet, when creating a route it is two ways to prevent asymmetrical routing: set mark «Use NAT» or “don’t pass traffic through firewall”.
In the example above, user 1 is located in 192.168.1.0/24 network, user 2 is located in 10.10.10.0/24. ICS is a default gateway for user 1. There is a route on ICS that allows user 1 to send requests to user 2.
When user 1 sends a request to user 2 data packet passes through the default gateway then through the router and delivers request to user 2. Reply from user 2 will be delivered in a different way: data packet is sent to router and then directly from LAN switch to user 1.
In case of simple data exchange without setting a session (exchange of UDP-segments) this scheme will work with ICS firewall setup by default. However, when connection sets up a session with a guaranteed data packet delivery (TCP connection) ICS firewall controls the session status and if the return data is missing for 30 seconds the connection will be dropped. In order to prevent that use the firewall exception.
Warning! Route excluded from firewall will not be processed by any other firewall rules.
The other way to avoid this situation is setting NAT on internal interface. In that case source of all traffic from User 1 will be changed to address of interface ICS. This is more recommended method.