I am trying to serve out OpenVPN (port 1194) through multiple external interfaces. It works fine for the external interface $ext_if1 which has a default route. When I try to serve it out on $ext_if2 using 'reply-to', tcpdump shows the packets arrive in on $ext_if2 but the replies are still going out on $ext_if1. OpenVPN is listening on all interfaces: $ netstat -p udp -a -n | grep 1194 udp 0 0 *.1194 *.*
The filter looks correct (with obfuscated ips - but those are correct): $ sudo pfctl -sr | grep 1194 pass in on em0 inet proto udp from any to 11.22.33.44 port = 1194 keep state pass in on em5 reply-to (em5 44.33.22.254) inet proto udp from any to \ 44.33.22.11 port = 1194 keep state For good measure, I also created a route-to rule for $ext_if2 (which should never be used since all this interface will do is serve port 1194): pass out on em0 route-to (em5 44.33.22.254) inet from 44.33.22.11 \ to any flags S/SA keep state The state-policy is set as floating. When I load the rules, I used pfctl -f /etc/pf.conf - so I didn't flush my state tables so states persist that are bound for port 1194 on $ext_if1. Is this my problem? Any ideas as to why my reply-to filter rule isn't working? -- Nick Golder
