On Fri, Oct 05, 2007 at 06:49:31PM -0400, Chris Smith wrote: > On Friday 05 October 2007, andrew fresh wrote: > OK, I'm still tagging, but it does seem that doing the route-to on ingress is > a working scenario.
Oh good. I am glad that worked. > > You may also want some of the rules like are shown in the FAQ > > http://www.openbsd.org/faq/pf/pools.html > > > > To ensure that packets with a source address belonging to $ext_if1 are > > always routed to $ext_gw1 (and similarly for $ext_if2 and $ext_gw2), the > > following two lines should be included in the ruleset: > > > > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \ > > to any > > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \ > > to any > > > > I am NOT sure that I am correct, but this may give you something else to > > try. > > I'm having trouble grokking that example, and also thinking that whatever > it's > doing may not be necessary for a non-pool setup. Any confirmation? What this does is make sure that any packets coming from the IP of one of the interfaces (that are the NAT IPs) go out the correct interface. So you would add this in addition to the other rules. It probably won't do anything, but it might. pass out on $ext_if route-to ($wow_8_if $wow_8_gw) from $wow_8_if pass out on $wow_8_if route-to ($ext_if $ext_gw) from $ext_gw Adding the third interface gets slightly more confusing. I got it working in testing and I am going to install one (that does round-robin, but that isn't important) on Tuesday. Then I am going to have to work on an ifstated setup for failover and I am not looking forward to that :-) > > I also think tcpdump on the different external interfaces when you are > > trying this would probably help a lot. > > That was I using to see what interface the packets were traversing. Did you see any packets coming out the wrong interface? For example, packets with the $ext_if IP coming out of $wow_8_if? That is what I would have expected from your ruleset (mebbe). l8rZ, -- andrew - ICQ# 253198 - Jabber: [EMAIL PROTECTED] BOFH excuse of the day: your process is not ISO 9000 compliant
