fib selection and persistence using ipfw

Reply: Rozhuk Ivan : "Re: fib selection and persistence using ipfw"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Michael Butler <imb_at_protected-networks.net>
Date: Sun, 07 Dec 2025 22:28:49 UTC

Having two upstream providers, I'm trying to enforce symmetric routing 
which, in OpenBSD's pf config can be implemented using ..

# Inbound control-plane to the firewall itself (per-WAN reply-to for 
symmetry)
pass in on $wan_a proto { tcp, udp, icmp } to ($wan_a) \
     reply-to ($wan_a $gw_a) keep state
pass in on $wan_b proto { tcp, udp, icmp } to ($wan_b) \
     reply-to ($wan_b $gw_b) keep state

I've tried all manner of ipfw packet tagging in the hope that it would 
yield similar results, e.g.

setfib 1 ip from any to any recv tap0
setfib 1 ip from any to any tagged 1
count tag 1 ip from any to any recv tap0

  [ .. ]

check-state
allow ip from .. keep-state
deny log ip from any to any

Is anyone else doing something like this on -current?

	Michael