On Sat, 16 Dec 2023 10:25:07 -0000 (UTC) Stuart Henderson <stu.li...@spacehopper.org> wrote:
> See "probability" in pf.conf(5). Thank you for the tip. My test ruleset: ---start--- block log all pass in on em0 from (em0:network) to <private> pass in on em0 from (em0:network) to <public> probability 50% rtable 1 pass in on em0 from (em0:network) to <public> probability 50% rtable 2 pass out on em0 pass out on em1 pass out on em2 ---end--- ... somewhat works, in a way that sessions from lan host to <public> do get load balanced to both rtables most of the time. However, some of the sessions to <public> (I tested with ssh) get denied by default block rule initially: block in on em0: PR.IV.AT.E.35528 > PU.BL.I.C.22: tcp 0 (DF) [tos 0x48] and then, on consequent automatic ssh retry after a few seconds, get moved to one of two rtables. >From above I conclude that the two rules of 50% do not make a total of 100% in pf's logic, and there are situations where a packet won't be passed by any of the two. That unfortunately won't work for my use case. Or perhaps I'm configuring something wrong? Best regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
