I've set up an OpenBSD 4.2 firewall with two ISP connections. ISP1
has static addressing and is the firewall's default gateway. ISP2 is
DHCP-configured, and I've modified dhclient-script to put the ISP2 gateway
only into a second routing table using "route -T 1 add". All of this
works fine, and using pf's rtable option I can route specific internal
NAT hosts over ISP2 while the rest use ISP1.
However, connections that originate from the firewall using the ISP2
interface address (such as ftp-proxy -a, or ping -I, or traceroute -s)
always try to use the default gateway in the main routing table.
I've tried many versions of route-to and rtable in pf, with no luck.
So the question is: Is it possible to use pf to force the outbound gateway
for a connection that originates from the firewall itself? Everything I
read seems to indicate that rtable and maybe even route-to is intended for
inbound packets only.
A few of the things I've tried:
pass out on $ISP1_IF route-to ($ISP2_IF $ISP2_GW) \
from ($ISP2_IF) to any keep state
pass out on $ISP1_IF route-to ($ISP2_IF $ISP2_GW) \
from ($ISP2_IF) to any no state
pass out on $ISP1_IF from ($ISP2_IF) to any keep state rtable 1
No matter what, I can't even ping or traceroute from the firewall when I
specify the ISP2 address as the source address. Yet my NAT'ed internal
hosts work just fine over ISP2 with the rules:
nat on $ISP2_IF from <cbl_hosts> to any -> ($ISP2_IF)
pass in log quick on $int_if \
from <cbl_hosts> to ! $int_net modulate state rtable 1
pass out quick on $ISP2_IF from ($ISP2_IF) to any modulate state
But in this case, the rtable (and route-to which I'm also using for some
things) are applied to the inbound side and that is working as expected.
Am I attempting the impossible?
Bryan
