>> the default route is to if2. as you see, the point is >> to symmetrically route inbound dns traffic via if1. >> >> but strage things happens: i see incoming packet on if1, >> state creation, outgoing packet on if3, dns reply incoming >> on if3, and... nothing else, no outgoing packet neither on >> if1 nor if2. >> >> if i add some rule like >> >> pass in quick on $if3 route-to ($if1 $if1_gw) inet \ >> from $int_net to any
>Comparing your ruleset with the one used here (providing not dns but http) i see >only one difference (that normally shouldn't matter): I filter on the inbound >interface as well and keep state, so i have in my ruleset the equivalent of > >pass out quick on $if3 inet proto udp from any to $int_dns port dns keep state > >Have you tried to log all blocked packets and dump what gets blocked? Maybe the >reply gets blocked somewhere. i use 3.3-stable custom kernel from 20030605 without IPv6. scrubbing and nat temporary disabled on vlan0 (parent is fxp). sorry for different source port numbers: logs have come from different sessions. # pfctl -vss ... udp xxx.xxx.xxx.xxx:53 <- yyy.yyy.yyy.yyy:53 <- zzz.zzz.zzz.zzz:15829 SINGLE:MULTIPLE age 00:00:02, expires in 00:00:28, 2 pkts, 388 bytes, rule 1 ... rdr works and state created. # pfctl -vvsr ... @1 pass in quick on vlan0 reply-to (vlan0 $vlan0_gw) inet proto udp from any to xxx.xxx.xxx.xxx port = domain keep state [ Evaluations: 245 Packets: 6 Bytes: 1164 States: 1 ] ... state created against correct rule. # tcpdump -s1500 -evtni pfsync0 ... version 1 count 1: INS ST: rule 0 udp xxx.xxx.xxx.xxx:53 <- yyy.yyy.yyy.yyy:53 <- zzz.zzz.zzz.zzz:15829 NO_TRAFFIC:SINGLE age 00:00:00, expires in 00:01:00, 1 pkts, 60 bytes, rule 0 ... additionally look here. # tcpdump -n -e -ttt -i pflog0 ... Jul 15 18:46:31.066042 rule 15/0(match): block out on vlan0: yyy.yyy.yyy.yyy.53 > zzz.zzz.zzz.zzz.41102: 47295*- 9/0/2[|domain] ... rdr rule translates response back and final block rule drops it like 'where is no state for such packet'. i am seriously confused. should i try GENERIC for completely clean tests?
