pf + 2 внешних канала в нет

[hoolygan]

подскажите, пожалуйста, где грабли.
есть 2 канала в инет. один анлим (медленный), другой быстрый, но анлим тока ua-ix
вот конфиг pf:

Код: Выделить всё

# interfaces
int_if = "xl0"
ext_if = "nve0"
ext_if2 = "tun0" 
lan_net="192.168.3.0/24"
ext_gw = "7x.8x.19x.145"
ext_gw2 = "6x.8x.17x.80"
tcp_services = "{ ssh, smtp, 21, 53, 80, 443, 1723,137,138,139 }"
udp_services = "{ ftp, 53, 123,137,138,139 }"
nat_users = "{192.168.3.0/24 }"
icmp_types = "echoreq"
table <ua-ix> persist file "/etc/prefixes.txt"

priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12 }"
        
# options
set block-policy return

# scrub
scrub in all
# nat/rdr
nat on $ext_if from $nat_users to !<ua-ix> -> ($ext_if)
nat on $ext_if2 from $nat_users to <ua-ix> -> ($ext_if2)

# filter rules
block all

pass quick on lo0 all
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
block drop in  quick on $ext_if2 from $priv_nets to any
block drop out quick on $ext_if2 from any to $priv_nets

# Load balance outgoing tcp and udp traffic from internal network1. 
pass in on $int_if route-to \
    { ($ext_if $ext_gw) } round-robin \
    proto tcp from  $lan_net to !<ua-ix> flags S/SA modulate state

pass in on $int_if route-to \
    { ($ext_if2 $ext_gw2) } round-robin \
    proto tcp from  $lan_net to <ua-ix> flags S/SA modulate state

pass in on $int_if route-to \
    { ($ext_if $ext_gw) } round-robin \
    proto { udp, icmp } from $lan_net to !<ua-ix> keep state

pass in on $int_if route-to \
    { ($ext_if2 $ext_gw2) } round-robin \
    proto { udp, icmp } from $lan_net to <ua-ix> keep state
    

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state
pass in on $ext_if2 inet proto tcp from any to ($ext_if2) \
   port $tcp_services flags S/SA keep state

# Allow access to provided UDP services on both external i/fs
pass in on $ext_if inet proto udp from any to ($ext_if) \
   port $udp_services keep state
pass in on $ext_if2 inet proto udp from any to ($ext_if2) \
   port $udp_services keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp, esp, ah, ipip, gre } all keep state

pass out on $ext_if2 proto tcp all modulate state flags S/SA
pass out on $ext_if2 proto { udp, icmp, esp, ah, ipip } all keep state


pass out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any 
pass out on $ext_if2 route-to ($ext_if $ext_gw) from $ext_if to any

#pass out all keep state
pass in on $ext_if proto { esp, ah, ipip, gre } from any keep state 
pass in on $ext_if2 proto { esp, ah, ipip } from any keep state 

при этом интерфейс nve0 (куда должны ходить пакеты ua-ix молчит). И все пакеты отправляются на дефолт (tun0, PPPoE)
как сделать так, чтобы пакеты уходили по правильному маршруту и ответ был с того интерфейса, на который приходит запрос.
помогите, плиз. Уже 3 дня лбом об стенку...

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[hoolygan]

прошу меня извинить, перепутал : на nve0 должны идти пакеты, предназначенные НЕ ua-ix