On Sun, Feb 28, 2021 at 01:17:01PM +0100, Rachel Roch wrote: > > > > 28 Feb 2021, 11:28 by s...@spacehopper.org: > > > On 2021/02/28 11:46, Rachel Roch wrote: > > > >> Thank you all for the suggestions, I am currently testing a few of them. > >> > >> Incase it makes any difference, the underlying problem I have is I have > >> two firewalls with BGP upstreams, one acting as primary, one as standby.?? > >> So the problem I am seeing is the age-old problem of asymmetric traffic to > >> the secondary firewall meaning pkg_add on the secondary doesn't work. > >> > > > > You can't just get two sessions from your upstreams so they can both be > > active rather than one in standby? > > > > Maybe my wording is a little off. > > I do have independent sessions from FW1 and FW2 to upstream routers. > > The problem, I suspect, is more to do with overlapping of IP ranges being > advertised to upstreams, and hence traffic never making it back to FW2 > because FW1 picks it up, hence the desire to have an effective way to tell > OpenBSD "send all localhost originating traffic from lo2 because the IPs on > lo2 are exclusive to that host".
I have a situation like that at work which I solved using the following rules: # let us talk to things match out on vlan363 to !vlan363:network !received-on any nat-to lo1 match out on vlan364 to !vlan364:network !received-on any nat-to lo1 pass out !received-on any vlan363 and vlan364 are the links I use to talk to the rest of the world. There may be a less worse way to do that with the routing table now though.
