Hello,
In a multi-homed setup I am trying to route out packets over the
secondary interface on which also NAT is done.
The environment consists of a OpenBSD 4.9 Firewall with 3 em interfaces,
connected to 2 DSL providers
em0: internal interface
em1: first DSL
em2: second DSL
I did dome testing with the understanding ruleset, where I have
specified a nat-to and route-to statement in a single rule
########### rules ###########
pass in log on em0 from 192.168.1.118 nat-to (e2gress:0) route-to (em2
80.100.x.x)
pass out log on em2
########### states ###########
all icmp 74.125.77.104:8 <- 80.100.x.x:54000 (192.168.1.118:9035)
0:0
all icmp 80.100.x.x:54000 -> 74.125.77.104:8 0:0
This setup somewhat works. When pinging an upstream host, the packets
get send out over the secondary interface, but the first packet is
always dropped!
According to the pf.conf man page this rule specification is possible.
My question is this kind of rule specification allowed and intended to
be working in PF?
When splitting the nat-to / route-to statement in the ruleset everything
works fine.
########### rules ###########
pass in log on em0 from 192.168.1.118 route-to (em2 80.100.x.x)
pass out log on em2 from 192.168.1.118 nat-to (em2:0)
########### states ###########
all icmp 74.125.77.104:8 <- 192.168.1.118:8779 0:0
all icmp 80.100.x.x:9676 (192.168.1.118:8779) -> 74.125.77.104:8
0:0
Regards Rob
