On Friday 05 October 2007, andrew fresh wrote: > It takes a while for the packets to figure out how to get through the > router, once they do, the states are set up and everything works as it > should. I can see that.
Seems that way. > > Basic scenario is 2 internal interfaces (2 separate subnets) and three > > external (gateway) interfaces (a T1 line - the default gateway, a 4Mb/s > > cable line, and an 8Mb/s cable line). My current testing is just using > > one system to route-to one of the non-default gateways. > > This means that each interface has a separate subnet with separate > gateways and all that? Yes. > What is $ext_if and what is $wow_8_if? You seem to use them kind of > randomly in your ruleset below. I am guessing that $ext_if is the T1 > (default gateway) and that $wow_8_if is one of the cable lines. Yes. > I think your problem is that if you route-to on your outbound interface > it happens after NAT. NAT and route-to on egress is I think a bad > combination. That it works at all is to me more surprising than that it > is slow. > Perhaps try this (I didn't): > (and keep state is default now so that simplifies the rules) > ================================================================== > nat on $ext_if inet from $s3_if:network to any -> $ext_ad > nat on $wow_8_if inet from $s3_if:network to any -> $wow_8_ad1 > > pass in on $s3_if inet from $s3_if:network to !$alt_if > pass in on $s3_if route-to ( $wow_8_if $wow_8_gw ) \ > inet from $orion7 to !$alt_if > > pass out on $s3_if from any to $s3_if:network > > pass out on $ext_if > pass out on $wow_8_if > ================================================================== OK, I'm still tagging, but it does seem that doing the route-to on ingress is a working scenario. > You may also want some of the rules like are shown in the FAQ > http://www.openbsd.org/faq/pf/pools.html > > To ensure that packets with a source address belonging to $ext_if1 are > always routed to $ext_gw1 (and similarly for $ext_if2 and $ext_gw2), the > following two lines should be included in the ruleset: > > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \ > to any > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \ > to any > > I am NOT sure that I am correct, but this may give you something else to > try. I'm having trouble grokking that example, and also thinking that whatever it's doing may not be necessary for a non-pool setup. Any confirmation? > I also think tcpdump on the different external interfaces when you are > trying this would probably help a lot. That was I using to see what interface the packets were traversing. Thanks. -- Chris
