Hello, I have this PF firewall with two ISPs connected to it and an
internal network. This firewall is balancing the traffic through both
ISPs, and it works great. Now I'm up to the task of making this
firewall react when an ISP goes down and reroute all traffic to the
other one. Both ISPs are unable to provide OSPF, BGP or RIP so those
are out of question and a multi-path route would only react if my
ethernet link goes down which is not really an indication of anything
so I decided to go with ifstated. The rules that do the balancing
magic are the following:
pass in on $lan_if route-to {($ext1_if $ext1_gw),($ext2_if $ext2_gw)} \
round-robin inet proto tcp from $lan_net to any \
port $lan2net_tcp_services flags S/SA modulate state
pass in on $lan_if route-to {($ext1_if $ext1_gw),($ext2_if $ext2_gw)} \
round-robin inet proto udp from $lan_net to any \
port $lan2net_udp_services
pass in on $lan_if route-to {($ext1_if $ext1_gw),($ext2_if $ext2_gw)} \
round-robin inet proto icmp from $lan_net to any \
icmp-type $lan2net_icmp_services
After asking around on irc and checking this maling list and other
sources on the web, the only way I could come up to do it was to get
this rules and put them inside an Anchor and make ifstated load
different files for the different states of my interfaces and ping
checks, this works but is ugly and doesn't scale well when adding more
ISPs. But then I found this piece of documentation which gave me hope,
from "man pf.conf":
Tables can also be used for the redirect address of nat and rdr
rules and in the routing options of filter rules,
but only for round-robin pools.
Even if the man says this, it won't let me do the following:
table <gateways> { 192.0.2.1, 192.0.2.10 }
pass in on $lan_if route-to (<gateways>) round-robin from $lan_net to any
Because according to the BNF syntax on the same man page it does
requires the interface name. It's very powerful that we can specify
the interface through which we want to route our packets, but would
also be very nice if pf was capable of determining the interface by
itself just by having the next-hop address. If this was possible,
redirecting the traffic would be as simple as adding/deleting values
from that table.
I'm using 4.5 right now and I'm almost certain that all this is not
possible and even though I read the changes for 4.6 and did not see
anything like this, I wanted to ask if anyone knew this was possible
in 4.6?. If not, maybe for 4.7? :P
Thanks a lot for the great software and all the hard work.
