Hi.
I'm trying to dynamically insert nat-to rules inside an anchor for
failover/load balancing purposes on OpenBSD 4.9. The rules get
evaluated but packet/byte/state count is zero. Can somebody please
tell me what I'm doing wrong?
Below are the two sets of rules I've tried, one without an anchor and
another with an anchor as well as sample evaluation, packet, byte, and
state counts for each nat-to rule.
### nat-to rules inside "/" ###
# Rules
table <rfc1918> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
pass out on vlan2 inet from <rfc1918> to ! <rfc1918> nat-to vlan2
pass out on vlan3 inet from <rfc1918> to ! <rfc1918> nat-to vlan3
pass out on vlan2 inet from vlan3 route-to (vlan3 124.107.174.129)
pass out on vlan3 inet from vlan2 route-to (vlan2 116.50.188.1)
# Stats
pass out on vlan2 inet from <rfc1918> to ! <rfc1918> flags S/SA keep
state nat-to 116.50.188.8
[ Evaluations: 2816 Packets: 187 Bytes: 53419 States: 26 ]
[ Inserted: uid 0 pid 25555 State Creations: 26 ]
pass out on vlan3 inet from <rfc1918> to ! <rfc1918> flags S/SA keep
state nat-to 124.107.174.137
[ Evaluations: 2610 Packets: 392 Bytes: 199902 States: 22 ]
[ Inserted: uid 0 pid 25555 State Creations: 22 ]
### nat-to rules inside "/WAN-NAT" ###
# Rules
table <rfc1918> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
anchor "WAN-NAT" {
pass out on vlan2 inet from <rfc1918> to ! <rfc1918> nat-to vlan2
pass out on vlan3 inet from <rfc1918> to ! <rfc1918> nat-to vlan3
}
pass out on vlan2 inet from vlan3 route-to (vlan3 124.107.174.129)
pass out on vlan3 inet from vlan2 route-to (vlan2 116.50.188.1)
# Stats
pass out on vlan2 inet from <rfc1918> to ! <rfc1918> flags S/SA keep
state nat-to 116.50.188.8
[ Evaluations: 3504 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 27150 State Creations: 0 ]
pass out on vlan3 inet from <rfc1918> to ! <rfc1918> flags S/SA keep
state nat-to 124.107.174.137
[ Evaluations: 3235 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 27150 State Creations: 0 ]
Thanks and regards,
--
Justin Jereza
