From owner-freebsd-net@freebsd.org Thu Apr 6 07:08:54 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D00CD311DC for ; Thu, 6 Apr 2017 07:08:54 +0000 (UTC) (envelope-from nbe@renzel.net) Received: from nijmegen.renzel.net (mx1.renzel.net [195.243.213.130]) by mx1.freebsd.org (Postfix) with ESMTP id 6316138A for ; Thu, 6 Apr 2017 07:08:53 +0000 (UTC) (envelope-from nbe@renzel.net) X-Virus-Scanned: GDATA Antivirus at gdata-milter.renzel.de.isb X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=-7.5 required=7.0 tests=ALL_TRUSTED,BAYES_00, MISSING_MID autolearn=no version=3.3.2 Received: from dublin.vkf.isb.de.renzel.net (unknown [10.0.0.80]) by nijmegen.renzel.net (smtpd) with ESMTP id 505D114148A4 for ; Thu, 6 Apr 2017 09:08:50 +0200 (CEST) Received: from asbach.renzel.net (unknown [172.18.96.1]) by dublin.vkf.isb.de.renzel.net (Postfix) with ESMTP id 4A37E81F85 for ; Thu, 6 Apr 2017 09:08:50 +0200 (CEST) Content-Type: text/plain; charset="ISO-8859-1" From: Nils Beyer Organization: VKF Renzel GmbH Date: Thu, 06 Apr 2017 09:08:49 +0200 User-Agent: KNode/4.14.10 Content-Transfer-Encoding: 7Bit Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... To: freebsd-net@freebsd.org References: <4956261.2DO1X0b8Gd@asbach.renzel.net> <20170405113352.GB20974@zxy.spb.ru> <29877.6759453633$1491395346@news.gmane.org> <201704051246.v35CkKB3028504@plan-b.pwste.edu.pl> <20170405181021.GA76030@plan-b.pwste.edu.pl> Lines: 25 MIME-Version: 1.0 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on nijmegen.renzel.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2017 07:08:54 -0000 Marek Zarychta wrote: > pass in quick on $ext_if_1 \ > [...] > pass in quick on $ext_if_2 reply-to ($ext_if_2 $ip_gw_2) \ > [...] > pass in quick on $ext_if_1 \ > [...] > pass in quick on $ext_if_2 \ that's what I meant in my opening post - you have to create a rule for every possible gateway. It even gets more complex if your server itself is a gateway for other servers in your network and you have to distribute outgoing traffic depending on the requesting server in your network. So something simple like: ------------------------------------------------------------------------------ ipfw add 60000 fwd $ip_gw_2 all from $ext_net_2 to any via $ext_if_1 ipfw add 60001 fwd $ip_gw_1 all from $ext_net_1 to any via $ext_if_2 ------------------------------------------------------------------------------ is not possible with PF? Regards, Nils