Routing Question

[Nikos Vassiliadis]

On 8/27/2010 9:09 PM, Doug Hardie wrote:
>
> On 27 August 2010, at 05:07, Patrick Lamaiziere wrote:
>
>> Le Thu, 26 Aug 2010 18:17:19 -0700, Doug Hardie<bc979 at lafn.org>  a
>> écrit :
>>
>>> PF's route_to will return the packets to the proper router, but I
>>> have not been able to figure out which ones those would be.  The
>>> source IP address can be any on either network and its highly
>>> likely that we will see packets from the same source network on
>>> both at the same time.  The only distinction I see in the input
>>> packets between the two paths is the MAC address of the router.
>>> I don't see any way in pf or the system to use that to affect the
>>> return path though.
>>
>> the filter option "reply-to" looks to be what you need. It works
>> by keeping the state of a connection (see pf.conf(5)).
>
> That works great on the output if you can figure out which packets to
> use it on.  The only way I can see to separate the traffic is using
> the router MAC address.  I don't find anything in pf that will look
> at that.

Yes, pf cannot use the MAC address to classify a packet. The most
sensible sollution would be installing a single router to handle
both lines but I know it's not always feasible to do so for several
reasons. ipfw can use MAC addresses for classification, perhaps you
hack some rules using fwd, skipto and mac.

Nikos