--- Quoting Gilles Chehade on 2007/04/18 at 22:23 +0200: > Hi misc@, > > I am trying to setup a set of "carp"-ed firewalls as follow: > > > > ISP 1 ISP 2 > | | > \ / > _____ SWITCH # 1 _____ > / | | \ > / | | \ > bge0 bge1 bge0 bge1 > | / | / > FW #1 FW #2 > | \ | \ > em0 em1 em0 em1 > \ \________|____ \ > \ | \ SWITCH #3 > \ | > \____ SWITCH #2 > > > Each ISP has a modem plugged to SWITCH #1. > FW#1 and FW#2 have bge0 set up for ISP 1 and bge1 set up for ISP 2 (one carp > per ISP). > FW#1 and FW#2 have em0 set up for switch #2 and em1 set up for switch #3 (one > carp per switch). > pfsync between FW#1 and FW#2 uses an inet alias on em0 (until IPSec is setup). > FW#1 has sysctl net.inet.carp.preempt set to 1, everything was working as > expected and I was having a ball plugging, unplugging, rebooting and > `ifconfig`-ing interfaces ;-) > > Then ... I had to configure the firewall to have all hosts connected to > SWITCH #2 use ISP 1, and all hosts connected to SWITCH #3 use ISP 2. > At first, I read `man route` and after figuring out that it was not possible > to setup a default gateway for each source subnet, I decided to try pf's > ``route-to''. > I was told that I should avoid using pf to "fix" routing issues. > > What do you suggest ?
Have you looked at the multiple routing table features in 4.1? Look at route(8) and pf.conf(5). Search for the -T option and the 'rtable' keyword, respectively. .joel
