I am having a hard time routing a reply out the correct WAN interface.
In spite of using a reply-to and creating state, the packet is routed
to the other interface and then dropped.
In detail, the machine has two WAN interfaces ext_if1 and ext_if2. A
backup mail server runs on the same machine, which is postfix listening
only to the first address on ext_if2, a.b.c.240. The pass in rule to
allow incoming SMTP is this:
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto tcp from
any to a.b.c.240 port smtp \
flags S/SA keep state queue (q_def2, q_pri2) \
label "Incoming mail on ext_if2"
Using tcpdump to monitor pflog0, I see that state is created when a
connection attempt is made. The connection comes in on ext_if2 as
expected, but the response is aimed at the other interface and gets
dropped since there is no explicit rule to let it pass there.
22:29:11.394001 rule 3/(match) block out on fxp0: a.b.c.240.25 >
d.e.f.19.40570: [|tcp] (DF)
It turns out that fxp0 is associated with ext_if1, but I am expecting
the packet to go out ext_if2 as per the reply-to syntax.
I also have the catch-all lines at the end of pf.conf that are supposed
to switch packets to their native interfaces.
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
flags S/SA keep state
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
flags S/SA keep state
I am looking for an understanding of what could be causing this
unexpected routing, if possible a suggestion on how to fix it.
George
--
