Date: Mon, 8 Dec 2025 03:11:47 +0200 From: Rozhuk Ivan <rozhuk.im@gmail.com> To: Michael Butler <imb@protected-networks.net> Cc: freebsd-current <freebsd-current@freebsd.org> Subject: Re: fib selection and persistence using ipfw Message-ID: <20251208031147.393b2391@rimwks.local> In-Reply-To: <20350073-abc5-4116-9fd7-8e8f708a26d4@protected-networks.net>
index | next in thread | previous in thread | raw e-mail
On Sun, 7 Dec 2025 17:28:49 -0500
Michael Butler <imb@protected-networks.net> wrote:
> Having two upstream providers, I'm trying to enforce symmetric
> routing which, in OpenBSD's pf config can be implemented using ..
>
> # Inbound control-plane to the firewall itself (per-WAN reply-to for
> symmetry)
> pass in on $wan_a proto { tcp, udp, icmp } to ($wan_a) \
> reply-to ($wan_a $gw_a) keep state
> pass in on $wan_b proto { tcp, udp, icmp } to ($wan_b) \
> reply-to ($wan_b $gw_b) keep state
>
> I've tried all manner of ipfw packet tagging in the hope that it
> would yield similar results, e.g.
>
> setfib 1 ip from any to any recv tap0
> setfib 1 ip from any to any tagged 1
> count tag 1 ip from any to any recv tap0
>
> [ .. ]
>
> check-state
> allow ip from .. keep-state
> deny log ip from any to any
>
> Is anyone else doing something like this on -current?
Actually no, but:
ifconfig vlan1001 172.16.0.31/24 fib 1
ifconfig vlan1002 172.16.0.32/24 fib 2
Do not forget set fib to network interface like it done in examlpe.
In my case if same IP+mask set on more than one net if - only last one will process packets to sockets.
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20251208031147.393b2391>