Zitiere "Alexey E. Suslikov" <[EMAIL PROTECTED]>: > the default route is to if2. as you see, the point is > to symmetrically route inbound dns traffic via if1. > > but strage things happens: i see incoming packet on if1, > state creation, outgoing packet on if3, dns reply incoming > on if3, and... nothing else, no outgoing packet neither on > if1 nor if2. > > if i add some rule like > > pass in quick on $if3 route-to ($if1 $if1_gw) inet \ > from $int_net to any
Comparing your ruleset with the one used here (providing not dns but http) i see only one difference (that normally shouldn't matter): I filter on the inbound interface as well and keep state, so i have in my ruleset the equivalent of pass out quick on $if3 inet proto udp from any to $int_dns port dns keep state Have you tried to log all blocked packets and dump what gets blocked? Maybe the reply gets blocked somewhere. Clemens
