My longish question left out critical pieces- the actual /etc/ files (pf.conf, hostname.*, bridgename.*) and tcpdump logs, I apologize. Thanks for reading and replying despite that. I'll be going another round tonight, and will follow up with concrete examples to the pf list, with a brief summary here to wrap it up. 'Til then here are my responses to the email so far-
Stuart Henderson : >> If we could make all the phones go to one switch, connect that to one >> internal NIC, and all the PCs go to another switch, and into the >> second internal NIC, then this would be easy. I think. But we don't >> have the space or the hardware. > >You could run vlans, if your switch supports them. That's probably >the cleanest way. Ah, if only... there's only one port per office cube. PC plugs into a port on the phone, phone plugs into the wall jack, carries traffic for both VOIP and PC. So the vlans would have to be set on the individual PCs and the phones. I don't think the phones support VLAN. Not positive on that though. I am pretty sure that as a temporary consultant, it would break after I left, unless the VLAN could be assigned to everyone DHCP. I don't see that in dhcpd-options (and it seems strange to serve non-vlan dhcp requests, telling all requestors to get themselves onto a specific vlan...) >> a smaller problem- how to specify what remote host to route-to in >> pf-conf when the interface is configured via DHCP? > >You don't.., use the normal routing table for this instead. In the original context, "route-to ($ext_if 44.33.22. 1)" worked, "route-to ($ext_if)" did not, nor did the pass rule without any route-to. But that's not very helpful without the full setup, and I would like to use the normal routing table as you suggest... That "small problem" can be restated: The best example I can find using route-to is at http://www.openbsd.org/faq/pf/pools.html - it uses a syntax like "route-to ($ext_if $ext_gw)" where $ext_gw2 is the remote gateway for $ext_if, defined as a dot-address macro. For what that example is doing, it can't "use the normal routing table instead," apparently. That page doesn't cover the case where $ext_if has a dynamic address. As far as I can tell, it can't be easily rewritten for an ISP that assigns a varying IP address/network. >From Tihomir Koychev: >Use PF specific pf@benzedrine.cx >Your question is there.There are a lots of mail with route-to, reply-to >and evil NAT.Forward you e-mail there and search with google or >http://marc.theaimsgroup.com/ (mailing list archive). Yup, that mailing list is being helpful, giving me more ideas to try out tonight. On 1/16/06, Todd T. Fries <[EMAIL PROTECTED]> wrote: > you do have a 20.0.0.x IP configured on the OpenBSD box as an 'inet alias' > in /etc/hostname.yourint_if, right?? I tried that without success. It doesn't make much sense to add that address as an alias anyway, when the OpenBSD box is supposed to transparently bridge traffic on the 20.0.0.x net. (My followup to "misc" mentioned that, my initial mis-post to "tech" didn't.) more later, stay tuned...
