Date: Fri, 14 Jul 2006 16:09:18 -0700 From: "Jon Simola" <jsimola@gmail.com> To: "Nejc Skoberne" <nejc@skoberne.net> Cc: freebsd-pf@freebsd.org Subject: Re: Multihoming with route-to Message-ID: <8eea04080607141609n1270f57dva21efcd2d8eb5789@mail.gmail.com> In-Reply-To: <44B75A3D.5060108@skoberne.net> References: <44B75A3D.5060108@skoberne.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/14/06, Nejc Skoberne <nejc@skoberne.net> wrote: > pass out on $UntrustInterface route-to ($UntrustInterface2 $NextHop2) from > $UntrustInterface2 to any keep state > pass out on $UntrustInterface2 route-to ($UntrustInterface $NextHop1) from > $UntrustInterface to any keep state > > I thought this would do the following: if I ping E.F.G.H from w.x.y.z (somewhere on the > Internet), the packet goes in through $UntrustInterface2, kernel crafts the ping-reply > packet and sends it out to default route via the $UntrustInterface - but since there is > a route-to rule, the packet should get routed to $UntrustInterface2 and $NextHop2 > instead. Is this reasoning correct? You need to use reply-to when a packet comes in on the second interface: pass in on $UntrustInterface2 reply-to ($UntrustInterface2 $NextHop2) keep state That should get you working, then apply filtering as desired. > You can find the full pf.conf here: http://nejc.skoberne.net/pf.conf Thanks for linking your full pf.conf, as it makes answering questions a lot easier. -- Jon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8eea04080607141609n1270f57dva21efcd2d8eb5789>