On Thu, Feb 17, 2005 at 10:35:50AM -0300, Emilio Lucena wrote: > Well, I tried to follow this recommendation, but I noticed that, although > PF indeed changed its behaviour and distributed the traffic between both > external connections, the packets sent out through the other external > connection (not the default gateway interface), had the source IP address > of the default interface. As a result, they get lost or discarded by the > ISP.
> Now the question is how to tell PF to change the source IP address when it > decides to send the packet through the other interface ? > nat on $ext_if1 from $int_if:network to any -> ($ext_if1) > nat on $ext_if2 from $int_if:network to any -> ($ext_if2) What happens is this. The packet first tries to go out through the default interface. The ruleset is evaluated. First, translation rules apply, then filter rules. You have a NAT rule that matches on the default interface, so the source address is replaced with the default interface's address. Then filter rules are evaluated. The route-to rule causes re-routing. Now the packet passes out through the second interface and causes ruleset evaluation. First, translation rules apply. But your NAT rule does not match, because of the source address restriction. The packet, at this point, has the default interface's address as source, not $int_if:network anymore. So no further NAT applies, and that's how the packet passes out. Try these NAT rules instead nat on $ext_if1 from !($ext_if1) to any -> ($ext_if1) nat on $ext_if2 from !($ext_if2) to any -> ($ext_if2) Daniel
