Config: Firewall using OpenBSD 3.8, 2 WAN, 1 LAN I am experiencing a problem with my configuration of pf as regards the choice of WAN ports to route an outgoing packet. Can someone help please ?
The scenario comes up when ext_if1 is the default gateway in the routing tables, but I am trying to use a rule to force a packet from a machine on the LAN to route through ext_if2. In some cases, the packet gets routed to ext_if1 and then dropped. I can't figure out why, and this seems like a very easy case to get right. I have this rule: pass in quick on $int_if \ route-to ($ext_if2 $ext_gw2) \ inet proto tcp from 192.168.1.120 to any flags S/SA \ keep state (floating) \ label "xxx" If I go to 192.168.1.120 and try to connect to an offsite computer, some packets (not all) are dropped and show up on pflog0 as so: /etc >> tcpdump -e -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG 19:13:50.464705 rule 3/(match) block out on fxp0: <src>.63198 > <dest>.45870: [|tcp] (DF) 19:13:53.457378 rule 3/(match) block out on fxp0: <src>.53544 > <dest>.45870: [|tcp] (DF) 19:13:53.486403 rule 3/(match) block out on fxp0: <src>.54951 > <dest>.45870: [|tcp] (DF) 19:13:59.457679 rule 3/(match) block out on fxp0: <src>.57831 > <dest>.45870: [|tcp] (DF) 19:13:59.611530 rule 3/(match) block out on fxp0: <src>.56602 > <dest>.45870: [|tcp] (DF) where rule 3 is "block drop out log on fxp0 all". (fxp0 == ext_if1). If I look at the stats for that rule before and after attempting to connect, I see that the connection has resulted in matching packets and bytes but state = 0. How it can match without creating state, I don't know! Any helpful pointers would be much appreciated. George