On 2009-12-06, Alastair Johnson <att...@googlemail.com> wrote: > rdr pass on $ext_if1 proto tcp from $supplierIP to $CARP_ip_line1 port 443 > -> 10.0.0.50 port 443 > rdr pass on $ext_if2 proto tcp from $supplierIP to $CARP_ip_line2 port 443 > -> 10.0.0.50 port 443
This works like 'pass quick' without reply-to. Remove 'pass' and you'll get the other rules into play.. > I have tried separating the pass rule and adding a reply-to but that doesnt > seem to work either: > > pass in on $ext_if1 reply-to ($ext_if1 $isp_gw_ip_1) proto tcp from > $supplierIP to $CARP_ip_line1 port 443 keep state > pass in on $ext_if2 reply-to ($ext_if2 $isp_gw_ip_2) proto tcp from > $supplierIP to $CARP_ip_line2 port 443 keep state These need to use the translated, not external, addresses. If you still have problems use 'pass in log' and check with tcpdump on pflog0 that the packets actually match the rules. route-to/reply-to were broken for a while, I *think* they were ok in 4.6 but not certain. They do definitely work in -current.
