On 04-08-2014 15:39, Christophe wrote: > I was wondering about the behavior of OpenBSD in this case (not a > production case at this time). > > 2 WAN interfaces (Ethernet / IPv4 DHCP) , linked to an OpenBSD box and 1 > LAN interface (Ethernet / IPv4 static address) > > WAN1 (em0 DHCP) ----- > |--- OpenBSD ----- LAN (em2 static) > WAN2 (em1 DHCP) ----- > > DHCP is providing a default gateway for the 2 WAN interfaces (and can > potentially change). > > First of all : > If only "dhcp" is specified in /etc/hostname.em[0|1] files, which of > these interfaces will provide the default gateway ? Is there a > precedence in this case ? The /etc/netstart script will walk through /etc/hostname.ifs alphabetically if I'm not mistaken. So, em0 would be called before em1. And, If I recall correctly, only the first dhclient that receives a default gateway, will be the one that will be used. > > Otherwise, is there anyway to specify a routing table in /etc/hostname.X > while using DHCP ? By putting each external interface on a rdomain. dhclient(8) will work automatically, the only thing is that you'll need to take care of your resolv.conf, because there can be conflicts. But, if you know which is the gateway for each isp, you could simplify things by not using rdomains and enabling multipath routing (net.inet.ip.multipath). For this you would make dhclient explicitly not accepting any default gateways from the servers, and adding them gateways manually. As you can see, there are options. > > Second question : > I used to write route-to and reply-to rules in pf.conf in a static context. > As far as I've seen, there are modifiers on interface specifications > like :network or :peer. But is there a :gateway or something similar > telling pf to use the defaut gateway learned by DHCP on the specified > interface ? If your rules are symmetric, that is, you won't differentiate per isp interface, and you manage to use the multipath routing option, then you can use only the interface group egress for your route-to rules. With rdomains things get trickier, but it works too. It will all depend on your setup.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
