On Wed, Oct 14, 2015 at 11:57:24AM -0300, Giancarlo Razzolini wrote:
> Em 14-10-2015 11:33, C.L. Martinez escreveu:
> [...]
> through your VPN. In this case, you don't need neither rdomain nor
> mpath. Properly crafted route-to rules in your pf.conf should do the
> trick. You can even use anchors and up/down scripts (OpenVPN), to change
> the rules in response to connections/disconnections. You can also do
> this the other way around: make the route-to rules for your customers
> and let your OpenBSD use whatever default gateway you want. If your
> networks are static, you can hard code them in your pf rules.
As I wrote, label your vpn tunnel interfaces and use anchor to put
dst ip networks from openvpn/openconnect scripts.
(dhclient puts label in routing table, maybe it would be nice
extension if there could be multiple labels per route and built
in some dynamic way so they can be distinguish easy in pf.conf.
something like...
10/8 10.40.204.1 UGS 1 18430 - 8 tun0
10/8
^^^ label
and in pf.conf something like
foo_customer=10/8
...to route $foo_customer route-to $foo_customer:gw)
Just thinking loudly.
j.
