I have used PF for years on my home server, to perform NAT (and various other minor functions): I have a home network with perhaps a dozen machines, and only one external WAN connection, with one IP address, so I need NAT, and PF on *bsd seems like the best way to do that.
Strangely, I'm now finding myself with two WAN connections (completely different types, but similar speed, both about 2 Mbit/s). I have a single static IP address on both. For now, I've been using one at a time, and occasionally switching back and forth if one fails.
So now I'm thinking: Why not use both? Yes, I understand networking well enough to know that this is not like multipath or bonding: one single connection (from a client's application port to a server somewhere far away on the internet) will only get the bandwidth from one connection, and without intricate tricks, I will not have automatic failover. And some applications (in particular "smart" applications, for example ajax "apps" running javascript under https, where the server gets confused if parts of the traffic comes from a seemingly different host) may not work. Still, for normal e-mail, web-browsing, ssh login, and downloading, this should work good.
So I tried to follow the OpenBSD example from http://www.openbsd.org/faq/pf/pools.html, which is the only documented version I can find. Right now, I'm still fighting the fact that the PF syntax from that example doesn't work on my FreeBSD system. I find lots of web discussion of people trying it, and no feedback when it eventually works. Anyone have an example pf.conf they want to share?
And one particular question: If you do this following the OpenBSD example, what do you set for the default route (system wide, the one set with the
Strangely, I'm now finding myself with two WAN connections (completely different types, but similar speed, both about 2 Mbit/s). I have a single static IP address on both. For now, I've been using one at a time, and occasionally switching back and forth if one fails.
So now I'm thinking: Why not use both? Yes, I understand networking well enough to know that this is not like multipath or bonding: one single connection (from a client's application port to a server somewhere far away on the internet) will only get the bandwidth from one connection, and without intricate tricks, I will not have automatic failover. And some applications (in particular "smart" applications, for example ajax "apps" running javascript under https, where the server gets confused if parts of the traffic comes from a seemingly different host) may not work. Still, for normal e-mail, web-browsing, ssh login, and downloading, this should work good.
So I tried to follow the OpenBSD example from http://www.openbsd.org/faq/pf/pools.html, which is the only documented version I can find. Right now, I'm still fighting the fact that the PF syntax from that example doesn't work on my FreeBSD system. I find lots of web discussion of people trying it, and no feedback when it eventually works. Anyone have an example pf.conf they want to share?
And one particular question: If you do this following the OpenBSD example, what do you set for the default route (system wide, the one set with the
route command and verified with netstat)? Can you just leave it unset, and the PF system will automatically set the outgoing route to the next hop on the interface?