Multihoming with route-to
Jon Simola
jsimola at gmail.com
Fri Jul 14 23:09:20 UTC 2006
On 7/14/06, Nejc Skoberne <nejc at skoberne.net> wrote:
> pass out on $UntrustInterface route-to ($UntrustInterface2 $NextHop2) from
> $UntrustInterface2 to any keep state
> pass out on $UntrustInterface2 route-to ($UntrustInterface $NextHop1) from
> $UntrustInterface to any keep state
>
> I thought this would do the following: if I ping E.F.G.H from w.x.y.z (somewhere on the
> Internet), the packet goes in through $UntrustInterface2, kernel crafts the ping-reply
> packet and sends it out to default route via the $UntrustInterface - but since there is
> a route-to rule, the packet should get routed to $UntrustInterface2 and $NextHop2
> instead. Is this reasoning correct?
You need to use reply-to when a packet comes in on the second interface:
pass in on $UntrustInterface2 reply-to ($UntrustInterface2 $NextHop2) keep state
That should get you working, then apply filtering as desired.
> You can find the full pf.conf here: http://nejc.skoberne.net/pf.conf
Thanks for linking your full pf.conf, as it makes answering questions
a lot easier.
--
Jon
More information about the freebsd-pf
mailing list