From owner-freebsd-pf@FreeBSD.ORG  Thu Dec 11 08:10:04 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2DF981065679
	for <freebsd-pf@freebsd.org>; Thu, 11 Dec 2008 08:10:04 +0000 (UTC)
	(envelope-from iskander@apple-park.kiev.ua)
Received: from smtp.apple-park.kiev.ua (smtp.apple-park.kiev.ua [212.82.221.1])
	by mx1.freebsd.org (Postfix) with ESMTP id DEAC88FC18
	for <freebsd-pf@freebsd.org>; Thu, 11 Dec 2008 08:10:03 +0000 (UTC)
	(envelope-from iskander@apple-park.kiev.ua)
Received: from sysadmin.itdep.smk (sysadmin.itdep.smk [10.1.0.20])
	by smtp.apple-park.kiev.ua (Postfix) with ESMTP id DD9709B428
	for <freebsd-pf@freebsd.org>; Thu, 11 Dec 2008 10:10:02 +0200 (EET)
Message-Id: <254A0CF2-6152-4E23-8FFC-48344F4EC66C@apple-park.kiev.ua>
From: Alexander Vyrlanovich <iskander@apple-park.kiev.ua>
To: freebsd-pf@freebsd.org
In-Reply-To: <1A5D8974-8BEE-4998-B029-737E32DB3C83@apple-park.kiev.ua>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Thu, 11 Dec 2008 10:10:01 +0200
References: <1A5D8974-8BEE-4998-B029-737E32DB3C83@apple-park.kiev.ua>
X-Mailer: Apple Mail (2.929.2)
Subject: Re: Dose pfsync work with route-ro/reply-to rules?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Dec 2008 08:10:04 -0000

On 10 Dec 2008, at 14:12, Alexander Vyrlanovich wrote:

> Hello All
>
> I have two firewalls with CARP + pfsync for failover
> #uname -mrs:
> FreeBSD 7.1-PRERELEASE i386
> sources from Nov 24
>
> Three ISPs are connected, default route points to ISP1
> I use pf "route-to" option to forward some traffic via ISP2 and ISP3
>
> The problem:
> When backup firewall becomes a master, all packets forwarded via  
> ISP2 and ISP3
> which has a state in state table, go to the ISP1 (default route) and  
> of course
> are blocked by pf on outgoing interface.
> More over, those packets bypass nat rules and try to go out as is.
Please ignore my sentence about nat - it was incorrect.

> Looks like pfsync loses routing information. Can somebody confirm  
> this?


Alexander Vyrlanovich
System Administrator