On Thu, 28 Jul 2011 13:23:02 +0200 Axel Rau <axel....@chaos1.de> wrote:
> Hi all, > > I have a routing firewall, which is also a ipsec client like this: > > ppp uplink (IPv4) > | > dc3|pppoe0 > +------------+------------+ > | + |dc1 > | enc0 +----- DMZ2 > | | > | |dc0 > | +----- DMZ1 > | | > +------------+------------+ > | em0 > Intranet > > DMZ2 has public address space (here named 11.222.33.128/25). Outgoing > traffic from this net should go through the ipsec tunnel. > > IPv4 traffic from Intranet and DMZ1 to none-local and none > 11.222.33/24 uses default route via NAT and pppoe0 as expected. > > What drives me nuts is: All traffic to 11.222.33/24 from em0 and dc1 > (including > all CARP traffic from its carp2) go to enc0, like this: > > 11:10:19.428653 rule 18/(match) [uid 0, pid 15367] block out on enc0: > \ carp 11.222.33.132 > 224.0.0.18: CARPv2-advertise 36: vhid=3 > advbase=1 \ advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 59211, > len 56, bad cksum 0!) > > > What's going on here? > > route-to in pf.conf seem of no influence. let me guess.... I think you just need to allow traffic on enc0 set skip on enc0 should be enough
