Em 17-07-2015 14:17, lausg...@gmail.com escreveu:
Ok, so isc-dhclient + dhclient-script with this
modificationhttp://www.rinta-aho.org/docs/openbsd-pf/dhclient-script.patch
supplied to it + route-to rules used like
inhttp://www.rinta-aho.org/docs/openbsd-pf/pf.conf do work.
Nice to hear that. This script can sure be improved.
However round-robinhttp://www.openbsd.org/faq/pf/pools.html#outgoing
construction doesn't work for this case.
Rule like
"pass in on lan inet from lan:network to !lan:0 route-to { (cnmac1 <gw_cnmac1>), (cnmac2
<gw_cnmac2>) } round-robin"
fails with
"multiple tables or dynamic interfaces not supported for translation or routing"
and I don't know other way of dynamic passing of gateways from dhclient to pf
for this rule without usage of multiple tables.
As I mentioned, I would use least-states, instead of round-robin. Also,
I had a similar issue and solved it using (egress). Since your
interfaces will have default routes, they will be all part of the egress
group. You can exploit that. Use tags and tcpdump to debug your rules, I
believe you can find a solution.
Cheers,
Giancarlo Razzolini
