Hello, I totally agree, that's why I wrote to mailing list and not copied the example ;-) It's not the first time I'm working with pf, but the first time with two external connections. Thanks for the link, I missed that because of the topic (I'm not looking for load balancing). But I didn't find out how to set this up correctly: - normaly the choosen link is rule (pf) based - the other line should be used if one is down (how to do that with pf?) - how must I read the route-to / reply-to syntax? for example: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
Till now I wasn't able to get into that, still looking for the click-aha-effect ;-) Thanks for your help. Regards Hagen Volpers > -----Urspr|ngliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Im Auftrag von Stuart Henderson > Gesendet: Donnerstag, 26. Juni 2008 01:47 > An: misc@openbsd.org > Betreff: Re: carp / routing question (multiple lines) > > On 2008-06-25, openbsd misc <[EMAIL PROTECTED]> wrote: > > I hope I can avoid try'n error this way ;-) I have two > firewall systems > > with carp enabled (running obsd 4.3). These gateways have > two internet > > connections (dsl 6000 and symmetric 4000 provided by a > router with an > > /29 transport net). > > The symmetric line should be used for vpn and vor mail and > http(s) if > > the dsl line is not available. > > I tried to google about this topic, but I didn't find much helpful. > > Someone mentioned > http://marc.info/?l=openbsd-misc&m=120665186412690&w=2 > > yesterday. Looks like a good starting point because the > pf.conf manpage > > doesn't say much about route-to and reply-to syntax. > > Try http://www.openbsd.org/faq/pf/pools.html#outgoing for an > introduction, the syntax of route-to and reply-to is given in the > BNF section at the bottom of pf.conf(5) - everyone writing PF > configuration files should learn how to read this section. > Everyone copying-and-pasting PF configs from samples really > should too... > > You should also get acquainted with running tcpdump on different > interfaces, including pflog0 (with the relevant "log" in PF rules), > it's very useful when you need to debug PF and in particular any > complicated NAT/route-to configuration. > > > Does someone have a link for me how to set the correct routes and > > pf-rules? The symmetric line should be set as default route with a > > higher metric but the source ip should be the carp ip if used. > > You set the source address of outgoing packets with NAT rules. > You direct packets out the relevant interface with route-to. > And you direct return packets for an *incoming* connection > with reply-to. > > Forget metrics/route priority for now, that won't help you direct > packets out of one or other connection based on port number, you > need PF rules to classify traffic if you want that. > > > I think > > my biggest problem is carp, because I don't know how to set up pf > > corretly with carp in use. As you know pf uses the phisical > interface, > > not the virtual interface, so I think I have to define the > source ip, > > too? > > Where you have to define an interface, use the physical interface > (vlan/trunk count as physical interface for this purpose). > > Where you have to specify an address, use whichever is correct for > what you're trying to do, carp/physical/both.
