On 2008-06-25, openbsd misc <[EMAIL PROTECTED]> wrote: > I hope I can avoid try'n error this way ;-) I have two firewall systems > with carp enabled (running obsd 4.3). These gateways have two internet > connections (dsl 6000 and symmetric 4000 provided by a router with an > /29 transport net). > The symmetric line should be used for vpn and vor mail and http(s) if > the dsl line is not available. > I tried to google about this topic, but I didn't find much helpful. > Someone mentioned http://marc.info/?l=openbsd-misc&m=120665186412690&w=2 > yesterday. Looks like a good starting point because the pf.conf manpage > doesn't say much about route-to and reply-to syntax.
Try http://www.openbsd.org/faq/pf/pools.html#outgoing for an introduction, the syntax of route-to and reply-to is given in the BNF section at the bottom of pf.conf(5) - everyone writing PF configuration files should learn how to read this section. Everyone copying-and-pasting PF configs from samples really should too... You should also get acquainted with running tcpdump on different interfaces, including pflog0 (with the relevant "log" in PF rules), it's very useful when you need to debug PF and in particular any complicated NAT/route-to configuration. > Does someone have a link for me how to set the correct routes and > pf-rules? The symmetric line should be set as default route with a > higher metric but the source ip should be the carp ip if used. You set the source address of outgoing packets with NAT rules. You direct packets out the relevant interface with route-to. And you direct return packets for an *incoming* connection with reply-to. Forget metrics/route priority for now, that won't help you direct packets out of one or other connection based on port number, you need PF rules to classify traffic if you want that. > I think > my biggest problem is carp, because I don't know how to set up pf > corretly with carp in use. As you know pf uses the phisical interface, > not the virtual interface, so I think I have to define the source ip, > too? Where you have to define an interface, use the physical interface (vlan/trunk count as physical interface for this purpose). Where you have to specify an address, use whichever is correct for what you're trying to do, carp/physical/both.
