j knight schrieb: > Bernd Bednarz wrote: > >> j knight wrote: >> >>> pass out on $dsl2 route-to ($dsl1 $gw1) from $ip1 to any >>> pass out on $dsl1 route-to ($dsl2 $gw2) from $ip2 to any >>> >>> Why did you remove them? >> >> >> because the reply-to rule make the same for me and I don't need both >> of them. When I ping the router on tun1 the packets go trough tun1 >> with the route-to oder reply-to and thatsway I only have the one rule >> reply-to > > > I didn't mean for you to replace the reply-to rules with route-to rules, > but to have both pair. The route-to rules will prevent exactly the > problem you're seeing: packets leaving $if1 with a source IP of $if2 > (and vice-versa of course).
OK, here we go, now my pf.conf look like this. -snip- pppoe1="tun0" pppoe2="tun1" gw1="217.0.116.68" gw2="217.0.116.67" supp_net="10.30.70.0/24" admin_net="10.30.20.0/24" # optimize set loginterface $pppoe1 set optimization aggressive nat on $pppoe1 from $supp_net to any -> ($pppoe1) nat on $pppoe1 from $admin_net to any -> ($pppoe1) nat on $pppoe2 from $supp_net to any -> ($pppoe2) nat on $pppoe2 from $admin_net to any -> ($pppoe2) rdr on $pppoe2 proto tcp from any to $pppoe2 port 80 -> 10.30.70.43 port 80 pass out on $pppoe1 route-to ($pppoe2 $gw2) from $pppoe2 to any keep state pass out on $pppoe2 route-to ($pppoe1 $gw1) from $pppoe1 to any keep state pass in on $pppoe2 reply-to ($pppoe2 $gw2) proto tcp from any to $pppoe2 port 80 keep state -snap- But I think you didn't unstood what I said. The route-to rules don't catchs the packets wich come from 10.30.70.43 and I don't know why.
