On Thu, Jul 7, 2016 at 7:19 AM, Jeremy <open...@smartpoint.co.nz> wrote:
> On 28/06/2016 4:38 a.m., Bobby Johnson wrote:
>> I've setup a few OpenBSD machines to do failover with 2 internet
>> interfaces. I didn't use multipath, pf will pass traffic without it. I did
>> find it necessary to specify a reply-to for each of my pass in rules for
>> services on the 2nd interface. For example I would need these 2 rules to
>> pass traffic in on both interfaces, ext_if has the default route and is
>> egress.
>>
>> pass in on egress inet proto tcp from any to $server port 80
>> pass in on $ex2_if inet proto tcp from any to $server port 80 reply-to (
>> $ex2_if $ex2_gw )
>>
> I have revised my pf.conf rules and made changes along the lines suggested
> above.
> ie. ...reply-to ($ext_if2 $ext_gw2)
> (NB: I have also replaced all instances of "egress" with $ext_if1 in
> preparation for switch-over.)
>
> Incoming traffic now works but I'm concerned this is a little clumsy to have
> to duplicate each pass rule and add a reply-to field to each one. Is this
> the best practice ?
PF tags might be useful. I haven't used tags in exactly this way myself
(I use them for other things), but something like this seems reasonable:
match in on egress inet proto tcp from any to $server port 80 tag PASS
...
pass in on $ex1_if tagged PASS
pass in on $ex2_if reply-to $ex2_if tagged PASS
Slightly off topic: in earlier releases I think it used to work putting reply-to
on both. It might have been redundant to put reply-to on the primary interface
but it didn't break anything. now putting reply-to on the primary fouls
things up ("primary" defined as "the interface used by the best-priority
default route").
-ken
