Still having issues with dual wan with fail over. I was able to implement Equal Cost Multipath Routing but I am not sure how to implement it in conjunction with ifstate. As far as I can tell the ifstate is a sample configuration meant for use with CARP. I followed the example on OpenBSD's FAQ 6.14.
Below is my pitiful pf.conf
Code:
############
## MACROS ##
############
# Interfaces
int_if = "vr0" #Internal Interface
ext_if1 = "vr1" #External Interface T1
ext_if2 = "axe0" #External Interface WiMAX
ext_gw1 = "x.x.x.x"
ext_gw2 = "y.y.y.y"
vpn_if = "tun0" #VPN Tunnel to FSJ
vlan100 = "vlan100" #VLAN Interface 10.0.2.0/24
# Misc
localnet = "10.0.0.0/24"
vlan100net = "10.0.2.0/24"
SH_Ext = "z.z.z.z"
nonroute = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
snglextports = "{ 10000, 443, 1194, 22 }"
# Addresses
MFC8780 = "10.0.0.5"
# Ports
RDP = "{ 3389 }"
############
## TABLES ##
############
####################
## GLOBAL OPTIONS ##
####################
set skip on lo0
###########################
## TRAFFIC NORMALIZATION ##
###########################
####################
## QUEUEING RULES ##
####################
#########################################
## TRANSLATION RULES (NAT) & SCRUBBING ##
#########################################
match in log
match in all scrub (no-df max-mss 1440)
match out on $ext_if1 from $localnet nat-to ($ext_if1)
match out on $ext_if2 from $localnet nat-to ($ext_if2)
match out on $ext_if2 from $vlan100net nat-to ($ext_if2) # Limiting VLAN 100 to WiMAX only
###################
## FILTERS RULES ##
###################
antispoof for $int_if
antispoof for $ext_if1
#antispoof for $ext_if2
block in log
#block out log
# Block Non-Routable Addresses
#block drop in quick on $ext_if from $nonroute to any
#block drop out quick on $ext_if from any to $nonroute
pass inet proto { tcp, udp } from { self, $localnet, $vlan100net }
#pass out on $int_if to $localnet
#pass in quick on $int_if from $localnet to $int_if
# Single WAN
#pass out on $ext_if1 proto { tcp udp icmp } all
### Dual WAN Configuration
pass in on $int_if from $localnet route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
pass in on $vlan100 from $vlan100net route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
# Single External Connection Path for Secure Ports
pass in on $int_if proto { tcp, udp } from $localnet to port $snglextports route-to ($ext_if1 $ext_gw1)
# General "Pass Out" Rules For External Interface
pass out on $ext_if1
pass out on $ext_if2
# Route Packets From any IPs on on $ext_if1 to $ext_gw1 and the same for $ext_if2 and $ext_gw2
pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)
pass in on $int_if from $vlan100net to $MFC8780
#pass in quick on $ext_if1 inet proto tcp from any to any port 80 rdr-to 10.0.0.11 port 8008
#pass in on $ext_if1 inet proto tcp to $ext_if1 port 8008 rdr-to 10.0.0.11
#pass on $int_if inet proto tcp to 10.0.0.11 port 8008
pass in quick on $ext_if1 inet proto tcp from any to any port 8008 rdr-to 10.0.0.11
pass on $int_if inet proto tcp to 10.0.0.11 port 8008
pass in inet proto tcp to port ssh
pass inet proto icmp
# VPN
pass quick on $vpn_if
pass in quick proto udp from any to port 1194
block in on ! lo0 proto tcp to port 6000:6010
Any guidence with my configuration to accomplish this failover (on the same box) would be greatly appreciated.
Thank you!