On 2008-06-26, openbsd misc <[EMAIL PROTECTED]> wrote: > - how must I read the route-to / reply-to syntax? > for example: > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
Outbound packet -> normal routing table lookup based on the *destination* address -> if the routing table says it should use $ext_if1, this rule will examine the *source* address, if the address is that of $ext_if2 it will not actually leave on $ext_if1 but will instead leave on $ext_if2 with the nexthop set to $ext_gw2. > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any Same as above with different addresses/interfaces. You also need NAT rules, such that traffic to certain ports is rewritten with the source address of one or other connection. This is where you do the classification, and this is what you need to change when one of the connections is down. > - the other line should be used if one is down (how to do that with pf?) You need more than just PF for that; you could use ifstated to monitor the connections and use pfctl(8) to load the correct rules. One option is to maintain two complete pf.conf and switch between them, but it's inevitable that sometime they will get out of sync. It's better to use an anchor - search for the word "anchor" in pf.conf(5) and pfctl(8) to read about them. That way, you can use a single main ruleset, and use a separate file holding the NAT rules; using pfctl -a somename -f <somefile> you can switch between one and another file depending on which link is up.
