PF FreeBSD PF: How to route certain traffic via the 2nd WAN using route-to rules

[simon8]

Hello,

My LAN router runs the latest FreeBSD 14.3, and has dual Internet connections, with WAN1 being the default route.

I want to route traffic to certain destinations (say, to Japan) via the 2nd WAN connection using the route-to rules.

However, this rule doesn't work:

pass out quick on { $wan1_if $wan2_if } route-to $wan2_if inet to <JAPAN> keep state

Neither does:

pass out quick on { $wan1_if $wan2_if} route-to ($wan2_if $wan2_gateway) inet to <JAPAN> keep state

But the rule route-to a TUN device works:

pass out quick on $wan1_if route-to tun0 inet proto tcp to <DEST_VIA_TUN> keep state

Below is full list of my /etc/pf.conf, and net.inet.ip.forwarding=1 is in /etc/sysctl.conf

wan1_if = "igc0" # the default connection
wan2_if = "igc1" # the second WAN

int_if = "bridge0" # a bridge interface grouping all the LAN ports
int_net = "10.0.0.0/24"

table <DEST_VIA_TUN> persist file "/etc/destinations_via_tun_device.txt"
table <JAPAN> persist file "/etc/japan_ip_blocks.txt"

set block-policy drop
scrub in on {$wan1_if $wan2_if}
nat on $wan1_if inet from $int_net -> ($wan1_if)
nat on $wan2_if inet from $int_net -> ($wan2_if)

set skip on lo
block all

# this route-to rule works fine, routing certain destinations via a TUN device
pass out quick on $wan1_if route-to tun0 inet proto tcp to <DEST_VIA_TUN> keep state

# NOT WORKING: this rule tries to route certain destinations via the second, non-default, WAN
pass out quick on { $wan1_if $wan2_if } route-to $wan2_if inet to <JAPAN> keep state

pass out on {$wan1_if $wan2_if} keep state
pass on $int_if inet keep state
pass in log quick on {$wan1_if $wan2_if} inet proto udp from port 67 to port 68 keep state

Thank you.