Hello, I am trying out the reply-to option in pf to force icmp echo replies back on the same interface (vlan10) where they came in.
The problem I am seeing is that the destination mac address of the replies are set to ethernet next-hop of the default route (vlan11). Am I using this correctly? My ruleset: include '/etc/pf.d/tables.pf' set ruleset-optimization none set limit states 2000000 set state-policy floating set block-policy return set state-defaults pflow pass in quick on vlan10 proto icmp reply-to vlan10 block log (all, to pflog0) # Default block pass quick proto carp keep state (no-sync) block out quick on vlan10 from any to <rfc1918_networks> pass out on vlan10 label vlan10 # egress ISP1 match out on vlan10 from <rfc1918_networks> to any nat-to carp10 block out quick on vlan11 from any to <rfc1918_networks> pass out on vlan11 label vlan11 match out on vlan11 from <rfc1918_networks> to any nat-to carp11 # NAT via carp11 pass out quick on vlan10 proto icmp from vlan11 route-to (vlan11 <vlan11_gw>) pass out quick on vlan11 proto icmp from vlan10 route-to (vlan10 <vlan10_gw>) pass quick proto icmp Uname -a: # uname -a OpenBSD fw2 6.6 GENERIC.MP#3 amd64 tcpdump: # tcpdump -eni vlan10 icmp tcpdump: listening on vlan10, link-type EN10MB 13:15:14.962096 00:24:c4:c0:b6:c0 3c:ec:ef:40:33:fc 0800 98: 1.1.1.1 > 4.3.2.2: icmp: echo request 13:15:14.962113 3c:ec:ef:40:33:fc 38:90:a5:73:c2:3f 0800 98: 4.3.2.2 > 1.1.1.1: icmp: echo reply arp: # arp -an | grep 00:24:c4:c0:b6:c0 4.3.2.1 00:24:c4:c0:b6:c0 vlan10 19m25s # arp -an | grep 38:90:a5:73:c2:3f 1.2.3.4 38:90:a5:73:c2:3f vlan11 20m0s
