From owner-freebsd-pf@FreeBSD.ORG  Fri May 18 01:16:49 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id D066016A402
	for <freebsd-pf@freebsd.org>; Fri, 18 May 2007 01:16:49 +0000 (UTC)
	(envelope-from thompsa@freebsd.org)
Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz
	[203.109.251.39])
	by mx1.freebsd.org (Postfix) with ESMTP id 71B9113C448
	for <freebsd-pf@freebsd.org>; Fri, 18 May 2007 01:16:49 +0000 (UTC)
	(envelope-from thompsa@freebsd.org)
Received: by heff.fud.org.nz (Postfix, from userid 1001)
	id 3039D1CC5A; Fri, 18 May 2007 13:04:20 +1200 (NZST)
Date: Fri, 18 May 2007 13:04:20 +1200
From: Andrew Thompson <thompsa@freebsd.org>
To: Kurt Buff <kurt.buff@gmail.com>
Message-ID: <20070518010420.GD64031@heff.fud.org.nz>
References: <a9f4a3860705171725t57df384bm214c717f9dfb6bb6@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <a9f4a3860705171725t57df384bm214c717f9dfb6bb6@mail.gmail.com>
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: freebsd-pf@freebsd.org
Subject: Re: pf, bridging, transparent proxy, dual gateways?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 May 2007 01:16:49 -0000

On Thu, May 17, 2007 at 05:25:35PM -0700, Kurt Buff wrote:
> All,
> 
> Wondering if the following scenario at all rational/feasible:
> 
> [fw-a]-------
>             |
>             |
>           [switch]---[freebsd]---[router]---[many subnets]
>             |
>             |
> [fw-b]-------
> 
> Fw-a fronts our current T1, and that ties our other two offices
> together with IPSec, and is our main inbound mail feed.
> 
> Fw-b is soon to be installed, and will front a new T1.
> 
> The lines are not bonded - they come from different vendors.
> 
> I'd like to forward all individual user traffic (HTTP/FTP/other) out
> of the second T1, perhaps with the use of Squid/Frox, leaving our
> intra-corporate traffic to go in/out the current T1, and also email.

The easiest why is to use the route-to option in pf. When you pass the
traffic from the internal network you mark which link it should go out.

pass in quick on $int_if route-to ($fw-a_if $fw-a_ip) ... (some criteria)
pass in quick on $int_if route-to ($fw-b_if $fw-b_ip) ... (other criteria)

If you are also accepting connections in from the internet then you may
want to look at the reply-to option.


regards,
Andrew