Giancarlo Razzolini wrote: > > > Selective routing uses the route-to directive from pf. It's quite simple > to use and, to achieve what you want, a simple rule like this should > solve (the macros are wrong, was lazy to look them every time :): > > pass in on $dmz_if route-to ($isp2_iface $ips2_gw) from $dmz_net to any > > $dmz_if = dmz interface > $isp2_iface = interface which is attached to isp2 link > $isp2_gw = next hop (host to reach the net on isp2) > $dmz_net = dmz network > > route-to directives are quite powerful. I developed a solution using pf > + ifstated + snmp + ping and some clever (almost) shell scripts to > automatically change the rules depending on the availability of the link. > > My regards, > > -- > Giancarlo Razzolini > Linux User 172199 > Red Hat Certified Engineer no:804006389722501 > Moleque Sem Conteudo Numero #002 > Slackware Current > OpenBSD Stable > Ubuntu 7.04 Feisty Fawn > Snike Tecnologia em InformC!tica > 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 > > [demime 1.01d removed an attachment of type application/pgp-signature > which had a name of signature.asc] >
Many thanks for your help Giancarlo. Based on your rule, I've added next to rules to my pf.conf: ----------------------------------------------------------- ############################################################################### ## FILTER: Routing outgoing to ISP2 ############################################################################### pass in quick on $dmz_if from $dmz_net to $lan_net pass in quick on $dmz_if route-to ($isp2_if $isp2_gw) \ from $dmz_net to !$lan_net ----------------------------------------------------------- The present behaviour is: I can reach and explore Internet from LAN net through ISP1, I can reach and explore Internet from DMZ net through ISP2, and I can reach (without response) to the Web Server on DMZ from Internet (through ISP2). The problem is that responses from the Web Server are not routed back to Internet through ISP2, and they are been send through ISP1 (bge0). Please, could someone help me with this? May be missing a "reply-to" rule? Thanks in advance. -- View this message in context: http://www.nabble.com/select-outgoing-route-depending-on-souce-interface-%28net%29-tp15863445p15870544.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
