Hi Thomas, A possible solution to your problem might be to put ext_if1 into its own rdomain with its default route out through ext_if1.
/Benno Henning Brauer(hb-open...@ml.bsws.de) on 2014.09.12 18:10:26 +0200: > * Thomas Pfaff <tpf...@tp76.info> [2014-08-28 13:51]: > > I have a router with two external interfaces, ext_if1 and ext_if2, > > where everything gets routed through ext_if2 by default (gateway) > > except for a few daemons on ext_if1. > > > > pass in on $ext_if1 inet proto tcp from any to $ext_if1 \ > > port ssh reply-to ($ext_if1 $ext_gw1) > > > > This seems to work as expected, sending return traffic through > > ext_if1 rather than the default gateway. > > > > The problem is when a connection attempt is made on $ext_if1 to > > a blocked port (set block-policy return). RST is sent through > > ext_if2 rather than ext_if1, thus showing up at the destination > > with the wrong source address. > > > > I'm unable to find a rule that will get the router to send RST > > through the correct interface, so other than using block-policy > > drop to not send RST, is there a way to make it send through > > the correct interface (ext_if1 in this case)? > > pf-generated packets like these RSTs bypass the ruleset, thus never > hit your reply-to. > > I'm not aware of a solution. > > (route-to and reply-to are stupid to begin with. Avoid at all cost.) > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services GmbH, http://bsws.de, Full-Service ISP > Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully > Managed > Henning Brauer Consulting, http://henningbrauer.com/ > --
