Hi,
Your use case is an outlier. Having both interfaces on the same network
is not a standard configuration.
Just quit using the magic word "egress" in your pf.conf and use the
specific interface names.
I went years (I started using OpenBSD 2.6) before I discovered the
"egress" magic word.
Just hard code the interface names in variables.
myegress="xl0"
mylocal="em0"
And use those in the pf.conf.
Good luck!
Cheers,
Steve W.
On 4/2/2025 11:06 PM, otto.cooper wrote:
Lessons learned are gold.
I am still stuck with the basic case of one firewall for one ISP, because in
the PCI bus the interface connecting with the LAN switch (ix0) sits before the
interface connecting with the gateway (em0), causing obsd to assign ix0 to
egress. Attempts to correct this via hostname have failed, including explicit
group assignment and change of priority. I am also experiencing ssh
disconnections. The system is unstable because of wrong egress.
-------- Original Message --------
On 4/3/25 00:03, <obs...@loopw.com> wrote:
> The problem is the conflict that occurs naturally when connecting any two ISPs.
in my not at all humble opinion, with this topology (each ISP presenting the same subnet on its client side), I would use multiple firewalls. One per ISP. Use carp if you want to failover or do fancy tricks (You can use multiple carps - one that represents going out firewall A, the other B, and they failover to each other. Much easier than editing every “LAN" boxes gateways otherwise.)
fwiw, even if they have different subnets, I use one firewall per ISP. I learned the hard way - Crossing ISPs through the same firewall has generally seemed like path to losing sanity.
