On Mon, Nov 21, 2016 at 12:10 PM, Stefan Sperling <[email protected]> wrote: > On Mon, Nov 21, 2016 at 10:43:17AM -0500, Kenneth Gober wrote: >> I get the impression that route-to is applied when a packet enters the >> router, >> e.g. as part of a "pass in" rule, and that it is used to forcibly direct the >> packet to a particular interface for "pass out" rather than relying on the >> default routing table for the entry interface. >> >> This means that if the "pass out" rule is the first time you are seeing the >> packet (i.e. because it originated from the router itself) then the routing >> decision has already been made and it is now too late to route again. > > route-to takes effect when a state is created by a matched rule. > It is possible to use route-to on 'pass out' rules (at least, over here, > it works :)
Prompted by Stefan, I made some time to test this myself and I can confirm that this works. I started with this rule in pf.conf: pass in log quick on em0 from em0:network to 8.8.8.8 route-to pppoe0 tagged TBD tag FORWARD And "ping 8.8.8.8" from the internal network got redirected to pppoe0 (default route is em2) but the same command issued at the router did not get redirected. I do not show the pass out rule here but I have a later one that will pass out (with NAT) anything tagged FORWARD. Adding this rule as well: pass out log quick on em2 to 8.8.8.8 route-to pppoe0 Caused "ping 8.8.8.8" originating from the router itself to be redirected just like the corresponding internal traffic. -ken
