• route-to roundrobin will not work with ftp since every transfer opens up a new connection
• use round-robin proto tcp from $lan_net to any port !ftp flags S/SA modulate state to exempt ftp

pf.conf

# --------------- file /etc/pf.conf --------------------
lan_net = "10.1.0.0/22"
int_if = "fxp0"
ext_if1 = "xl0"
ext_if2 = "xl1"
ext_gw1 = "192.168.103.1"
ext_gw2 = "192.168.104.1"
 
virus_ports="{135,137,139,445,1080,1025,1026,1433,1434}"
tcp_udp = "{tcp,udp}"
 
#nat on $ext_if1 from $lan_net to any -> ($ext_if1)
#nat on $ext_if2 from $lan_net to any -> ($ext_if2)
 
#nat on $ext_if1 from $lan_net to any -> $ext_if1 static-port
#nat on $ext_if2 from $lan_net to any -> $ext_if2 static-port
 
#block virus port
#block in quick proto $tcp_udp from any port $virus_ports to any
#block out quick proto $tcp_udp from any to any port $virus_ports
 
pass in on $int_if route-to { ($ext_if1 $ext_gw1),($ext_if2 $ext_gw2) } round-robin \
proto tcp from $lan_net to any flags S/SA modulate state
pass in on $int_if route-to { ($ext_if1 $ext_gw1),($ext_if2 $ext_gw2) } round-robin \
proto {udp,icmp} from $lan_net to any keep state
 
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) proto tcp from ($ext_if2) to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) proto tcp  from ($ext_if1) to any

Route traffic based on destination

pass in on $int_if route-to { ($ext_if1 $ext_gw1),($ext_if1 $ext_gw1),($ext_if2 $ext_gw2) } round-robin proto tcp from <dynamic_ips> to <ext_nets> port {80} flags S/SA modulate state
pass in on $int_if route-to { ($ext_if1 $ext_gw1),($ext_if1 $ext_gw1),($ext_if2 $ext_gw2) } round-robin proto {udp,icmp} from <dynamic_ips> to <ext_nets> keep state
 
pass in on $int_if route-to { ($ext_if2 $ext_gw2) } proto tcp from <dynamic_ips> to 208.85.40.0/21 port {80} flags S/SA modulate state  # route panadora through wcta
pass in on $int_if route-to { ($ext_if1 $ext_gw1) } proto tcp from <dynamic_ips> to 17.0.0.0/8 port {80} flags S/SA modulate state # route apple through FED