> No, your script or ifstated config will need to adjust this rule, > you can do this by using a macro to write the rule, something like this: > > GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" > pass in on $int_if from $lan_net route-to { $GATEWAYS } > > This helps because you can override the macro on the pfctl command line, > so you can use something like to reload the ruleset with your choice > of gateway: > > pfctl -D GATEWAYS="1.1.1.1@em0" -f /etc/pf.conf > pfctl -D GATEWAYS="2.2.2.2@em1" -f /etc/pf.conf > pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf > > While you're testing, use "pfctl -v ..." if you would like to check > how the parsed rules look. > >
Thanks once again for your introduction. I wrote a shell script, pls see below in /etc/pf.conf . I have the below variable GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" Now, This is the script. #Checking WAN1 ping -q -c 3 -i 2 -w 3 -I 1.1.1.5 173.194.38.191 > /dev/null 2>&1 VARWAN1=$(echo $?) #Checking WAN2 ping -q -c 3 -i 2 -w 3 -I 2.2.2.5 173.194.38.184 > /dev/null 2>&1 VARWAN2=$(echo $?) if [ ${VARWAN1} = 0 ] && [ ${VARWAN2} = 0 ]; then echo "Both links are UP" route add -mpath default 1.1.1.1 route add -mpath default 2.2.2.2 pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf elif [ ${VARWAN1} != 0 ] && [ ${VARWAN2} != 0 ]; then echo "Both links are DOWN " route add -mpath default 1.1.1.1 route add -mpath default 2.2.2.2 pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf elif [ ${VARWAN1} != 0 ] ; then echo "WAN1 is DOWN" route add -mpath default 2.2.2.2 route delete -mpath default 1.1.1.1 pfctl -D GATEWAYS="2.2.2.2@em1" -f /etc/pf.conf elif [ ${VARWAN2} != 0 ] ; then echo "WAN2 is DOWN" route add -mpath default 1.1.1.1 route delete -mpath default 2.2.2.2 pfctl -D GATEWAYS="1.1.1.1@em0" -f /etc/pf.conf fi Pls NOTE - Section2 ( i.e , when BOTH links are DOWN, No internet at ALL. So Just behave as BOTH links are UP. It does NOT matter for me ) I think that traffic routes as I expected. I will have to test it. Now, the interesting thing is this ( Taken from openbsd website) # keep https traffic on a single connection; some web applications, # especially "secure" ones, don't allow it to change mid-session pass in on $int_if proto tcp from $lan_net to port https \ route-to ($ext_if1 $ext_gw1) When both links are UP and WAN1 is UP https traffic will go via WAN1 When, WAN1 goes down, https should go via WAN2 I think If I add another variable to /etc/pf.conf, I will be able to achieve it too. ONEWAYHTTPS="1.1.1.1@em0" pass in on $int_if proto tcp from $lan_net to port https \ route-to { $ONEWAYHTTPS } and use this below while WAN1 goes DOWN pfctl -D ONEWAYHTTPS="2.2.2.2@em1" -f /etc/pf.conf Is it allringt ? I think a few miles left for me to reach the goal. If you can give an example it is worth millions time. Your comments are welcome... -- Thank you Indunil Jayasooriya