View Single Post
  #2   (View Single Post)  
Old 31st January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,383

I think that you should add "log" to all of your rules, both pass and block, and use tcpdump with pflog0, and watch which pass rules apply.

I say this because watching pass rules may show you that the packets you want to direct to a single ISP with route-to are matching unintended rules. Unless "quick" is used, in PF, the last matching rule wins.

I see this rule, which I think you want to apply to this traffic:
# Single External Connection Path for Secure Ports pass in on $int_if proto { tcp, udp } from { $localnet, $vpnnet } to port $snglextports route-to ($ext_if1 $ext_gw1)
but the very next set of rules will find a match, since they pass all outbound traffic, and negate your prior matching rules:
# General "Pass Out" Rules For External Interface pass out on $ext_if1 pass out on $ext_if2
Use tcpdump, and see if it helps you debug this.
Reply With Quote