On Wed, Aug 16, 2006 at 08:33:10PM -0700, George Pontis wrote: > # > # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for > ext_if2 to ext_gw2 > # > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any flags > S/SA keep state > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any flags > S/SA keep state > > There must be something about my understanding of how packets are routed > that is at the root of the problem. I say that > since the packets that are dropped are being routed out ext_if1 in > contradiction to the route-to ext_if2 option. > How can I express the logic in pf that will ensure that all the traffic for > a specific LAN host will always route > through a specific interface, no matter what is in the system routing tables > ?
Your two rules above only re-route packets with source addresses $ext_if1 and $ext_if2. "A specific LAN host" would only have such a source address if you were using NAT. You have given no indication of whether you are, and what your NAT rules are... How else would packets from a LAN host have one of the firewall's own IP addresses as source address? Or what did you think "from $ext_if1" meant? Daniel