Normally, standard pc conf, I would suggest to browse Peter or my blog suggestion:
20230929 15:16 ( https://bsdload.com/bsd/?blogSP=30 ) My solution taken from "Building Linux and OpenBSD Firewalls" (see Internet Archive) to solve the no traffic prb caused by inserting the default "block in all" statement. I moved the following statements just after it: # dns pass in quick proto udp from any port domain to any pass out quick proto udp from any to any port domain # icmp pass in quick inet proto icmp all icmp-type 0 pass in quick inet proto icmp all icmp-type 3 pass in quick inet proto icmp all icmp-type 11 But indeed as you are dealing with routing traffic among interfaces you should go eventually experimenting including these dns and icmps of my tip. Hope you find this somewhat helpful! -- Nowarez Market Dec 16, 2023 18:41:05 Marko Cupać <marko.cu...@mimar.rs>: > My test ruleset: > > ---start--- > block log all > > pass in on em0 from (em0:network) to <private> > pass in on em0 from (em0:network) to <public> probability 50% rtable 1 > pass in on em0 from (em0:network) to <public> probability 50% rtable 2 > > pass out on em0 > pass out on em1 > pass out on em2 > ---end--- > > ... somewhat works, in a way that sessions from lan host to <public> do > get load balanced to both rtables most of the time. However, some of > the sessions to <public> (I tested with ssh) get denied by default > block rule initially: > > block in on em0: PR.IV.AT.E.35528 > PU.BL.I.C.22: tcp 0 (DF) [tos 0x48] > > and then, on consequent automatic ssh retry after a few seconds, get > moved to one of two rtables. > > From above I conclude that the two rules of 50% do not make a total of > 100% in pf's logic, and there are situations where a packet won't be > passed by any of the two. That unfortunately won't work for my use case.
