The simplest way to do this is probably to use multiple route tables, then you can use rtable in pf.conf instead of route-to.
www.openbsd.org/papers/eurobsd2012/phessler-rdomains/index.html www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/ Your 'pass in' rule won't match outgoing connections from the machine itself. gpon...@spamcop.net wrote: >I recently moved from OpenBSD 4.9 to 5.2, and onto a new machine with >an extra enet port for the backup cable modem. DSL with a block of >static IPs is the primary external interface. My plan was add rules >with route-to to route specific traffic to the cable modem. > >First thing, I can't seem to write a rule that will route anywhere >other than to the default interface. For example, a rule such as "pass > >in quick on em0 from any to 1.2.3.4 keep state route-to ( em2 >$em2GatewayAddr )" should do it. But then "telnet 1.2.3.4" causes a >packet to go out em1, which is the interface hosting the default >route. "pfctl -vvs rules" does show the route-to rule as one would >expect, and it is being evaluated, but no packets match. I can't see >any reason for packets to not match. > >A second problem is that the cable modem must get an address using >DHCP. To route to the cable modem, I assume that route-to rules must >contain the gateway address. But it is not clear how to get that from >DHCP issued address into a rule. Is there a way to do it, or is my >approach incorrect ? > >George
