On Sat, Apr 22, 2006 at 05:44:07AM +0000, George Pontis wrote: > I am having a hard time routing a reply out the correct WAN interface. > In spite of using a reply-to and creating state, the packet is routed > to the other interface and then dropped.
The routing to the interface with the default gateway is normal and expected. What should happen, before the packet gets passed out on that interface, is that it matches the previously created state, and the reply-to option (of the matching state entry) should re-route the packet through the desired interface. The initial routing decision is made by the TCP/IP stack outside of pf. pf's re-routing (in this scenario) applies afterwards. Is your state entry if-bound? In that case, it simply won't match the packet on the default interface, and no re-routing takes place. If so, make the state entry floating (or bind it to both interface, for instance by creating an interface group consisting of both interfaces, and bind the state to that interface group). You can bypass the TCP/IP stacks normal routing, by using a reply-to option on the rule on the _internal_ interface. Replies will match that state immediately when the come in on the internal interface, and pf then routes them out the desired external interface without the TCP/IP stack getting to (attempt to) forward them and using the default route. A problem with that scenario might be that you can't easily decide which connections going out on the internal interface should use reply-to, as when they go out there, the information about which external interface the initially came in on is already lost. You can use 'tag' on the rule passing in on the non-default external gateway and match with 'tagged' on the internal interface rules. But even in this scenario, you probably need a state entry on the external interface that's not if-bound. > I also have the catch-all lines at the end of pf.conf that are supposed > to switch packets to their native interfaces. > > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any > flags S/SA keep state > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any > flags S/SA keep state The first packet trying to pass out is not a SYN packet, but a SYN+ACK reply, so it doesn't match the 'flags S/SA' part of those rules, and the rules don't match. Removing the 'flags S/SA' part won't solve the problem, either, as then you'd be creating a second state entry, which is not based on the initial SYN, but the first reply. Which can break connections due to pf missing the TCP window scaling negotiation in the handshake. Daniel
