> 17 июля 2015 г., в 22:35, Giancarlo Razzolini <grazzol...@gmail.com> > написал(а): > > Em 17-07-2015 14:17, lausg...@gmail.com escreveu: >> Ok, so isc-dhclient + dhclient-script with this >> modificationhttp://www.rinta-aho.org/docs/openbsd-pf/dhclient-script.patch >> supplied to it + route-to rules used like >> inhttp://www.rinta-aho.org/docs/openbsd-pf/pf.conf do work. > > Nice to hear that. This script can sure be improved. > >> However round-robinhttp://www.openbsd.org/faq/pf/pools.html#outgoing >> construction doesn't work for this case. >> Rule like >> "pass in on lan inet from lan:network to !lan:0 route-to { (cnmac1 >> <gw_cnmac1>), (cnmac2 <gw_cnmac2>) } round-robin" >> fails with >> "multiple tables or dynamic interfaces not supported for translation or >> routing" >> and I don't know other way of dynamic passing of gateways from dhclient to >> pf for this rule without usage of multiple tables. > As I mentioned, I would use least-states, instead of round-robin. Also, I had > a similar issue and solved it using (egress). Since your interfaces will have > default routes, they will be all part of the egress group. You can exploit > that. Use tags and tcpdump to debug your rules, I believe you can find a > solution. > > Cheers, > Giancarlo Razzolini
Thanks much for all your good help! I will try it. For now I'm just still using probabilistic rules with quick keyword + fallback rule but using mpath instead of rdomain and this works smoothly now! If I'll need to setup multi-isp setup ever, I'll use anchors and "make ifstated check for the gateways availability, and update the rules accordingly" like you suggested.
