Sunday, April 28, 2024

Re: NAT on CARP interface

Oh now I remember, you might need to add it to the egress interface group. 

Does that rule you posted error out or are you just seeing blocks with it? 


On Sun, Apr 28, 2024, 12:49 PM Mike <rizzz2pro@gmail.com> wrote:
If I remember right, you can run 'ifconfig' and see if that interface is marked as an egress interface or not. I can't remember how OBSD determines what interfaces are egress or not but your em0 seems to be in a private network so it might not be classifying itself as egress. 

Nevertheless, writing egress or $ext_If, what difference does it really make? You're just repeating a different word. Lol

On Sun, Apr 28, 2024, 12:08 PM Radek <rdk@int.pl> wrote:
> change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work as the rule you say works.
I made minor changes and tested the egress version.

ext_if = "em0"
ext_carpif = "carp0"
int_if = "carp2"
This rule works for me:
match out log on $ext_if from $int_if:network to any nat-to $ext_carpif

It seems it should work fine as well but it doesn't:
match out log on egress from $int_if:network to any nat-to $ext_carpif


On Thu, 25 Apr 2024 13:53:32 -0700
obsdml@loopw.com wrote:

>
>
> > On Apr 25, 2024, at 10:36 AM, Radek <rdk@int.pl> wrote:
> >
> > Thank you for all your hints.
> >
> >> match out on egress from $lan_if:network to any nat-to (egress:0)
> > This rule doesn't work.
>
> change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work as the rule you say works.
>
>
> fwiw, the $lan_if came from your configs existing "match"
>
> https://www.openbsd.org/faq/pf/filter.html#syntax  - under "interface" you can find out about "egress".  I definitely prefer it to hard coding an interface in yet another line of a pf.conf
>
> I was presuming you didnt mind matching to $ext_if's ip for new sessions outbound, hence (egress:0).  Matching to the carp ip works.  (this is basically a source nat rule in commercial-network-vendor speak)
>
>
> >
> >> ext_if=em0
> >> int_if=vlan2
> >> ext_carpIf=carp0
>
> >> match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf
> > This rule works as expected.
>


Radek

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)