[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: PF Rules for Dual Upstream Gateways
From:       Stuart Henderson <stu.lists () spacehopper ! org>
Date:       2023-11-23 8:32:39
Message-ID: slrnulu3h7.2u5v.stu.lists () naiad ! spacehopper ! org
[Download RAW message or body]

On 2023-11-22, Ian Timothy <ian@thrivedata.it> wrote:
> Hello,
> 
> I have two ISPs where one connection is primary and the other is low-bandwidth for \
> temporary failover only. ifstated handles the failover by simply changing the \
> default gateway. But under normal conditions I want to be able to connect via \
> either connection at any time without changing the default gateway. 
> A long time ago under the old pf syntax I had this in /etc/pf.conf which worked \
> fine, and as far as I can remember was the only thing needed to enable this desired \
> behavior: 
> pass in on $wan1_if reply-to ( $wan1_if $wan1_gw )
> pass in on $wan2_if reply-to ( $wan2_if $wan2_gw )
> 
> But I've not been able to find the right way to do this under the new pf syntax. \
> From what I've been able to find this is supposedly does the same thing, but no \
> success so far: 
> pass in on $wan1_if reply-to ($wan1_if:peer)
> pass in on $wan2_if reply-to ($wan2_if:peer)

The :peer syntax is for point-to-point interfaces (e.g. pppoe, maybe umb).

> What am I missing? Or this there a better way to do this?

As long as the gateway is at a known address (not a changing address from
DHCP) this should do:

pass in on $wan1_if reply-to $wan1_gw
pass in on $wan2_if reply-to $wan2_gw

You can also have a setup with multiple rtables, but in the simple case,
reply-to is often easier.

-- 
Please keep replies on the mailing list.


[prev in list] [next in list] [prev in thread] [next in thread]