If I remember right, you can run 'ifconfig' and see if that interface is marked as an egress interface or not. I can't remember how OBSD determines what interfaces are egress or not but your em0 seems to be in a private network so it might not be classifying itself as egress.
Nevertheless, writing egress or $ext_If, what difference does it really make? You're just repeating a different word. Lol
On Sun, Apr 28, 2024, 12:08 PM Radek <rdk@int.pl> wrote:
> change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work as the rule you say works.
I made minor changes and tested the egress version.
ext_if = "em0"
ext_carpif = "carp0"
int_if = "carp2"
This rule works for me:
match out log on $ext_if from $int_if:network to any nat-to $ext_carpif
It seems it should work fine as well but it doesn't:
match out log on egress from $int_if:network to any nat-to $ext_carpif
On Thu, 25 Apr 2024 13:53:32 -0700
obsdml@loopw.com wrote:
>
>
> > On Apr 25, 2024, at 10:36 AM, Radek <rdk@int.pl> wrote:
> >
> > Thank you for all your hints.
> >
> >> match out on egress from $lan_if:network to any nat-to (egress:0)
> > This rule doesn't work.
>
> change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work as the rule you say works.
>
>
> fwiw, the $lan_if came from your configs existing "match"
>
> https://www.openbsd.org/faq/pf/filter.html#syntax - under "interface" you can find out about "egress". I definitely prefer it to hard coding an interface in yet another line of a pf.conf
>
> I was presuming you didnt mind matching to $ext_if's ip for new sessions outbound, hence (egress:0). Matching to the carp ip works. (this is basically a source nat rule in commercial-network-vendor speak)
>
>
> >
> >> ext_if=em0
> >> int_if=vlan2
> >> ext_carpIf=carp0
>
> >> match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf
> > This rule works as expected.
>
Radek
No comments:
Post a Comment