Lessons learned are gold. I am still stuck with the basic case of one firewall for one ISP, because in the PCI bus the interface connecting with the LAN switch (ix0) sits before the interface connecting with the gateway (em0), causing obsd to assign ix0 to egress. Attempts to correct this via hostname have failed, including explicit group assignment and change of priority. I am also experiencing ssh disconnections. The system is unstable because of wrong egress.
-------- Original Message -------- On 4/3/25 00:03, <obs...@loopw.com> wrote: > > > The problem is the conflict that occurs naturally when connecting any two > ISPs. > > in my not at all humble opinion, with this topology (each ISP presenting the > same subnet on its client side), I would use multiple firewalls. One per > ISP. Use carp if you want to failover or do fancy tricks (You can use > multiple carps - one that represents going out firewall A, the other B, and > they failover to each other. Much easier than editing every “LAN" boxes > gateways otherwise.) > > fwiw, even if they have different subnets, I use one firewall per ISP. I > learned the hard way - Crossing ISPs through the same firewall has generally > seemed like path to losing sanity. > > >
