03.08.2012 17:15 полÑзоваÑÐµÐ»Ñ "Dr.-Ing. Torsten Finke" < torsten.fi...@igh-essen.com> напиÑал: > > Dear List, > > my network is connected to the internet by three different DSL > connections. At connection my ISP provides always the same IP addresses, so > that they are effectively configured with a fix IP address each. These > connections are managed by my external firewall. > > Outbound traffic is load balanced via round robin on the three mpath default > routes. > > Since I run several services on my system (e.g. openvpn, which is actually > served by my internal firewall), I have to ensure, that inbound traffic will > be returned to exactly that connection the request came from. This is done by > the following pf rules (openvpn handling as an example among others): > > #--------------------------------------------------------------- > ext_if0 = "tun0" > ext_if1 = "tun1" > ext_if2 = "tun2" > int_fw = # my internal firewall's address > ... > > pass in quick on $ext_if0 proto udp from any to any port 1194 \ > rdr-to $int_fw port 1194 reply-to ( $ext_if0 $ext_if0:peer ) > pass in quick on $ext_if1 proto udp from any to any port 1194 \ > rdr-to $int_fw port 1194 reply-to ( $ext_if1 $ext_if1:peer ) > pass in quick on $ext_if2 proto udp from any to any port 1194 \ > rdr-to $int_fw port 1194 reply-to ( $ext_if2 $ext_if2:peer ) > #--------------------------------------------------------------- > > May there be any trick that avoids this rule definition for each connection? I > am trying to get the rules more simple and also looking for a rule, that is > independent of the actual connection state (if one of the connections is > broken, pfctl complains about an unreacheable peer of course). > > Has anyone tried somthing like this using pf anchors?
I had a patch adding support for routing options to "match" rules, but it lacked pfsync support. If you're interested, I can try to update it and send (or you can avoid waiting and search tech@ archives yourself). AFAIK, previous version still works at the place I've quit a year ago.
