Hi.
I have a router with two external interfaces, ext_if1 and ext_if2,
where everything gets routed through ext_if2 by default (gateway)
except for a few daemons on ext_if1.
pass in on $ext_if1 inet proto tcp from any to $ext_if1 \
port ssh reply-to ($ext_if1 $ext_gw1)
This seems to work as expected, sending return traffic through
ext_if1 rather than the default gateway.
The problem is when a connection attempt is made on $ext_if1 to
a blocked port (set block-policy return). RST is sent through
ext_if2 rather than ext_if1, thus showing up at the destination
with the wrong source address.
I'm unable to find a rule that will get the router to send RST
through the correct interface, so other than using block-policy
drop to not send RST, is there a way to make it send through
the correct interface (ext_if1 in this case)?
Cheers,
Thomas.
