Subject: pf: how to use the right interface?
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 04/04/2006 16:08:08
pf appears to have some trouble using the correct interface under some
circumstances.  (This is on i386 3.0.)

In particular, given


with the default route pointing to, and pf rules

set state-policy if-bound
rdr on ex0 inet proto tcp from any to ->
rdr on rtk0 inet proto tcp from any to ->
pass out quick on ex0 route-to ( ex0 ) from to any
pass out quick on ex0 route-to ( rtk0 ) from to any
pass quick all

Then if a connection arrives to, all is well:
gets it, properly NATted, and response traffic is all good.

But if a connection arrives on, things are less good. hears about it, and it looks right from its point of view,
but the response traffic goes out ex0, presumably because that's where
the default route points, despite coming from, despite the
state table entry and state-policy, despite even the pass line trying
to send it out rtk0!

What am I doing wrong?  What do I need to do to get this traffic to go
out the correct interface?  (I have similar issues with locally
originated traffic, actually, despite the "pass" rules, but it's the
NATted-connection response traffic that's most important.)  I could
port my srt interface to 3.0, probably, but it seems to me that either
the NAT state entries or the pass rules should make that unnecessary.

The above is a relatively brief sketch, but I think/hope I've included
everything relevant - I can give full details if desired.

