> I am still stuck with the basic case of one firewall for one ISP, because in > the PCI bus the interface connecting with the LAN switch (ix0) sits before > the interface connecting with the gateway (em0), causing obsd to assign ix0 > to egress. Attempts to correct this via hostname have failed, including > explicit group assignment and change of priority. I am also experiencing ssh > disconnections. The system is unstable because of wrong egress.
I believe that the last sentence is wrong, at least in the sense that the term "egress" have been used in this whole thread. It is totally possible for a tcp service to be hard/impossible to use if you tell one (or more) boxes along the route from client to server that there is two or more paths that can be chosen, especially if the boxes in between are using stateful firewalling. A stateful firewall will not appreciate seeing "half" of the traffic, either in terms of "outgoing traffic goes out on em0 and comes back in on em1" or "first 10 packets went over em0, and now for layer-2 reasons, next 10 packets go over em1". This is exactly the things a stateful firewall (or a cautious ISP) is meant to protect against, someone "sneaking" in packets on the side, looking like a previous existing connection made elsewhere. So here it doesn't really matter if it is your box with multiple interfaces on the same network that is causing the confusion, or if it would be the internet at large using two paths to enter your network from different ISPs at different times, just that it IS different will make a paranoid firewall angry and have it drop the unexpected packets in order to protect you. Looking up sloppy states, or non-interface bound state may help, but not doing stuff more complicated than you can handle would also fix this. There has been lots of useful advice given here already by other people, including using different rdomains per ISP to make sure things from the respective sides are not mixed up. -- May the most significant bit of your life be positive.
