And there is only one rule in my pf.conf:
pass out on em1 dup-to em2 no state
Let's say I send a ping from host1 to host2. Two things may happen:
1. If OpenBSD has information about host2 IP in arp table then everything
works well. Original ping packet arrive on host2 and duplicated
packet is correctly placed on em2 interface.
2. If OpenBSD doesn't have information about host2 IP in arp table then
arp request needs to be send. But this arp request is only send
through em2 interface, not through em1 interface. As result there is
no valid arp response and ping packet doesn't know how to reach
host2. So both original and duplicated packets are dropped.
In my opinion second behaviour is not proper because dup-to option
shouldn't affect original packet. Arp request should by normally send
through em1 interfaces as it would if 'dup-to' option wouldn't be used.
I don't know if this is a bug or rather consequence of some
implementation design. I will be very grateful for any clarifications or