From owner-freebsd-pf@FreeBSD.ORG  Wed Dec 10 12:31:33 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3F845106564A
	for <freebsd-pf@freebsd.org>; Wed, 10 Dec 2008 12:31:33 +0000 (UTC)
	(envelope-from iskander@apple-park.kiev.ua)
Received: from smtp.apple-park.kiev.ua (smtp.apple-park.kiev.ua [212.82.221.1])
	by mx1.freebsd.org (Postfix) with ESMTP id F29848FC1A
	for <freebsd-pf@freebsd.org>; Wed, 10 Dec 2008 12:31:32 +0000 (UTC)
	(envelope-from iskander@apple-park.kiev.ua)
Received: from sysadmin.itdep.smk (sysadmin.itdep.smk [10.1.0.20])
	by smtp.apple-park.kiev.ua (Postfix) with ESMTP id C43899B428;
	Wed, 10 Dec 2008 14:12:03 +0200 (EET)
Message-Id: <1A5D8974-8BEE-4998-B029-737E32DB3C83@apple-park.kiev.ua>
From: Alexander Vyrlanovich <iskander@apple-park.kiev.ua>
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Wed, 10 Dec 2008 14:12:02 +0200
X-Mailer: Apple Mail (2.929.2)
Subject: Dose pfsync work with route-ro/reply-to rules?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Dec 2008 12:31:33 -0000

Hello All

I have two firewalls with CARP + pfsync for failover
#uname -mrs:
FreeBSD 7.1-PRERELEASE i386
sources from Nov 24

Three ISPs are connected, default route points to ISP1
I use pf "route-to" option to forward some traffic via ISP2 and ISP3

The problem:
  When backup firewall becomes a master, all packets forwarded via  
ISP2 and ISP3
which has a state in state table, go to the ISP1 (default route) and  
of course
are blocked by pf on outgoing interface.
More over, those packets bypass nat rules and try to go out as is.

Looks like pfsync loses routing information. Can somebody confirm this?


Alexander Vyrlanovich
System Administrator