I had code doing this, and even pfctl erroring out with a nice message
if kernel and userland are out of sync, but theo refused it.
Why?
Julf
Claudio,
This is because of delayed checksum calculation in ip_output.
Thanks for the explanation!
Julf
Karl,
The rule in pf is that the last pass/block match wins, unless you
say otherwise with quick.
Indeed. It's something that is too easy to forget when you try things.
I had it right before, but got the order of the lines wrong as part
of trying to get it to work. Thanks for the correction.
Hi!
I have a small network, connected by 2 ADSL connections, and
want to load-share the connections. All examples of route-to
round-robin that I have seen have used 2 separate interfaces,
but as both my ADSL modems are on the same no-mans-land
network, I have been (so far unsuccessfully) trying
Thanks for the reply, Daniel!
AFAIK, it should work.
Good to have that confirmed, thanks!
Can you ping $isp1_gw and $isp2_gw and arp -sn is showing two
different entries for them?
From the firewall machine, yes, but not from machines on
the internal network.
What is the problem? All
AFAIK, it should work.
And it does :)
Turns out the problem had nothing to do with pf.
For some reason one of the DSM routers (ZyXEL P-2601HN-F1)
needed an explicit static return route, while the other,
(FRITZ!Box Fon WLAN 7360) didn't.
Everything works fine after adding the return route.
