> No, your script or ifstated config will need to adjust this rule,
> you can do this by using a macro to write the rule, something like this:
>
> GATEWAYS="1.1.1.1@em0 2.2.2.2@em1"
> pass in on $int_if from $lan_net route-to { $GATEWAYS }
>
> This helps because you can override the macro on the pfctl command line,
> so you can use something like to reload the ruleset with your choice
> of gateway:
>
> pfctl -D GATEWAYS="1.1.1.1@em0" -f /etc/pf.conf
> pfctl -D GATEWAYS="2.2.2.2@em1" -f /etc/pf.conf
> pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf
>
> While you're testing, use "pfctl -v ..." if you would like to check
> how the parsed rules look.
>
>
Thanks once again for your introduction. I wrote a shell script, pls
see below
in /etc/pf.conf . I have the below variable
GATEWAYS="1.1.1.1@em0 2.2.2.2@em1"
Now, This is the script.
#Checking WAN1
ping -q -c 3 -i 2 -w 3 -I 1.1.1.5 173.194.38.191 > /dev/null 2>&1
VARWAN1=$(echo $?)
#Checking WAN2
ping -q -c 3 -i 2 -w 3 -I 2.2.2.5 173.194.38.184 > /dev/null 2>&1
VARWAN2=$(echo $?)
if [ ${VARWAN1} = 0 ] && [ ${VARWAN2} = 0 ]; then
echo "Both links are UP"
route add -mpath default 1.1.1.1
route add -mpath default 2.2.2.2
pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf
elif [ ${VARWAN1} != 0 ] && [ ${VARWAN2} != 0 ]; then
echo "Both links are DOWN "
route add -mpath default 1.1.1.1
route add -mpath default 2.2.2.2
pfctl -D GATEWAYS="1.1.1.1@em0 2.2.2.2@em1" -f /etc/pf.conf
elif [ ${VARWAN1} != 0 ] ; then
echo "WAN1 is DOWN"
route add -mpath default 2.2.2.2
route delete -mpath default 1.1.1.1
pfctl -D GATEWAYS="2.2.2.2@em1" -f /etc/pf.conf
elif [ ${VARWAN2} != 0 ] ; then
echo "WAN2 is DOWN"
route add -mpath default 1.1.1.1
route delete -mpath default 2.2.2.2
pfctl -D GATEWAYS="1.1.1.1@em0" -f /etc/pf.conf
fi
Pls NOTE - Section2 ( i.e , when BOTH links are DOWN, No internet at ALL.
So Just behave as BOTH links are UP. It does NOT matter for me )
I think that traffic routes as I expected. I will have to test it.
Now, the interesting thing is this ( Taken from openbsd website)
# keep https traffic on a single connection; some web applications,
# especially "secure" ones, don't allow it to change mid-session
pass in on $int_if proto tcp from $lan_net to port https \
route-to ($ext_if1 $ext_gw1)
When both links are UP and WAN1 is UP https traffic will go via WAN1
When, WAN1 goes down, https should go via WAN2
I think If I add another variable to /etc/pf.conf, I will be able to
achieve it too.
ONEWAYHTTPS="1.1.1.1@em0"
pass in on $int_if proto tcp from $lan_net to port https \
route-to { $ONEWAYHTTPS }
and use this below while WAN1 goes DOWN
pfctl -D ONEWAYHTTPS="2.2.2.2@em1" -f /etc/pf.conf
Is it allringt ?
I think a few miles left for me to reach the goal.
If you can give an example it is worth millions time.
Your comments are welcome...
--
Thank you
Indunil Jayasooriya
