Sergey Lapin wrote:
When pf blocks incoming packet with "block return" rule, it does not return RST or ICMP packet to the interface from which original packet came from but always use default gateway instead. This way if we have default gateway set to ISP2's 2.0.0.1 and packet destined to 1.0.0.254 comes from ISP1 interface (ext_if1) and this packet gets blocked with "block return", the TCP RST packet with source address 1.0.0.254 will be sent through 2.0.0.1 gateway. Obviously, ISP2 drops packets which source does not belong to their network so basically "block return" does not work at all.
I've the same situation here and we use route-to to route everything from ISP1's network to their gateway and vice-versa.
route-to re-routes a packet from 1.0.0.0/24 when it's trying to leave through the ISP2 interface and everything then gets NAT'ed properly.
pass out on $ext_isp2_if route-to ($ext_isp1_if $ext_isp1_gw) from $isp1_net to any
-- Giovanni P. Tirloni / [EMAIL PROTECTED] _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
