We have 2 internet lines with 2 different and equally unreliable Internet providers.
We have 2 PF firewalls running 4.6 RELEASE arranged in a failover configuration using CARP/pfsync. Each firewall is therefore connected to each router and to our internal network as well as a crossover cable between them for the pfsync. I would like one of our internal servers to be reachable by certain remote people. Given the unreliability of each line I would like a remote person to be able to target the CARP address of either external connection and RDR traffic through to the internal server. Sounds simple and it half works. It only works for whichever line the firewall's default route is pointing towards. Traffic always returns along the default route even if it originates from down the other external line, even if I use reply-to and even if I keep-state and even if I "set policy if-bound" Is this by design? do I ask the conceptually impossible? it doesnt seem unreasonable - not everyone has high quality lines. I have the following: rdr pass on $ext_if1 proto tcp from $supplierIP to $CARP_ip_line1 port 443 -> 10.0.0.50 port 443 rdr pass on $ext_if2 proto tcp from $supplierIP to $CARP_ip_line2 port 443 -> 10.0.0.50 port 443 The problem is that replies only get back down the line that is set as default gateway. if the default gateway is down line 1 then an incoming packet coming down line 2 will sucessfully get in to the fw, pass the fw, go to the internal server, come back to the fw but then try to go out down line 1. I have tried separating the pass rule and adding a reply-to but that doesnt seem to work either: pass in on $ext_if1 reply-to ($ext_if1 $isp_gw_ip_1) proto tcp from $supplierIP to $CARP_ip_line1 port 443 keep state pass in on $ext_if2 reply-to ($ext_if2 $isp_gw_ip_2) proto tcp from $supplierIP to $CARP_ip_line2 port 443 keep state I still cant get traffic to return down the interface it arrived on unless its the same as the default route. I have to set a default route because I NAT for internal workstations doing general web browsing. Happy to send a dmesg is it would be useful. Many thanks, Alastair Johnson
