hi, on a carp setup with two external links (main & backup), i struggled a bit to accept traffic on the backup interface - after fiddling a bit in pf.conf and looking at the faq (https://www.openbsd.org/faq/upgrade69.html) & manpage (https://man.openbsd.org/pf.conf#reply-to) it wasnt super obvious to me that reply-to took *the ip of the nexthop on the backup link*.
In the faq for 6.9 there's an example with (iface:peer) but to my understanding that only works for peer-to-peer interfaces (ppp? pppoe?), in my case that's a regular /29 with a remote, an ip for each carp host on em1 and a carp ip on carp1. since the manpage talks about _interface_ and says 'route all outgoing packets of a connection through the interface the incoming connection arrived through' that's a bit confusing, and after unsuccessfully trying reply-to em1 (the carpdev) reply-to carp1 i ended up with reply-to wanbackup_ip (eg none of my IPs) which works. did i screwup something somewhere in my config and there's a better way for that ? should the manpage be improved for reply-to and talk about 'destination address' instead of 'interface' like route-to does ? Landry
