On Mon, Nov 21, 2016 at 4:21 AM, Comète <com...@daknet.org> wrote: > I use route-to in my pf.conf to route packets from my LAN through 4 > non-equal WAN links (multipath routing is disabled). It works nicely, but if I > try to send pings from the firewall itself through a specific WAN interface > with ping -I or traceroute -s commands, it's always the default route on the > FW that is used.
I get the impression that route-to is applied when a packet enters the router, e.g. as part of a "pass in" rule, and that it is used to forcibly direct the packet to a particular interface for "pass out" rather than relying on the default routing table for the entry interface. This means that if the "pass out" rule is the first time you are seeing the packet (i.e. because it originated from the router itself) then the routing decision has already been made and it is now too late to route again. It is my understanding that you can set up special routing tables that have different default routes (see rdomain(4)), then use route(8) to run commands, using -T to specify which route table to use. I have never tried this myself but the man pages should have enough information to get you going. -ken
