Hello:
I am trying to understand what approach I need to take. I have tried
searching the lists, and have gone over the PF User's Guide/FAQ/Man pages,
but am not sure how to approach this.
I am trying to set up a firewall for a home network. The firewall is
connected to the outside with a cable modem, usually. So, this I
understand, and can use pf for NAT and filtering.
However, since my ISP has issues, and since I have access to alternate
dialup provider, I would like to set up the firewall with a modem that can
be used to access the internet when the cable goes down. Basically, if the
cable dies, I would like to tell the firewall to dial the alternate ISP, and
use PPP to set up a second route to the internet.
So, I am trying to understand the right way to do this.
Let's say:
mdm_if = "tun0" # ppp interface
ext_if = "sk0" # external NIC
int_if = "sk1" # internal NIC
Obviously, on boot, both ext_if and int_if are up and running, so I can set
up pf to filter and nat without an issue.
However, what happens when I need to switch to the modem for internet
access. Clearly, the tun0 interface is only created when I connect using
the modem (ppp).
Am I able to define tun0 in pf.conf before it exists? If I can, would
simply doing something like defining 2 NAT rules, like:
nat on $mdm_if from !($mdm_if) -> ($mdm_if:0)
nat on $ext_if from !($ext_if) -> ($ext_if:0)
and then using something like:
ext_con= "{ tun0, sk0 }"
as the macro in my filter rules work, so that, if the cable goes down, I can
make the firewall dialup, and then be able to connect/filter/NAT on tun0 .
Or, do I need to use anchors. So, on boot, pf would load the NAT and filter
rules for $ext_if, and then, when I need to use the PPP connection, I would
use ppp.linkup and ppp.linkdown to load (and unload) NAT and filter rules
for the dialup connection?
Or, is there another, more appropriate, option?
Thanks
ted
