On 2020-02-12, Sebastian Benoit <benoit-li...@fb12.de> wrote: > Paul de Weerd(we...@weirdnet.nl) on 2020.02.12 12:46:02 +0100: >> On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote: >> | Hi all, >> | >> | I have a couple of firewalls with carp configured and I need them to >> | reach the Internet even when they are in BACKUP state. >> | I'm managing pf via Ansible/GIT, so I'd like to keep the >> | configuration of pf.conf standard and simple as much as possible. >> | >> | Usually, I use the notation "nat-to ($interface)" to let pf use the >> | correct ip, but in this case I've BGP configured and the provider >> | forces me to use a complex configuration with an alias on the >> | external interface, like this: >> | >> | # ifconfig vlan835 >> | vlan835: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu >> 1500 >> | lladdr b0:26:28:1e:e6:6e >> | index 13 priority 0 llprio 3 >> | encap: vnetid 835 parent trunk0 txprio packet rxprio outer >> | groups: vlan egress >> | media: Ethernet autoselect >> | status: active >> | inet 1.1.1.1 netmask 0xfffffff0 broadcast 1.1.1.255 >> | inet 2.2.2.2 netmask 0xfffffff0 broadcast 2.2.2.255
Does the 2.2.2.2 address specifically need to be on this interface (i.e. do you need to answer ARP for it)? If not then maybe you could just put it on a loopback instead (e.g. lo1) then things are simple. >> Alternatively, you could refer to a hostname that you then specify in >> /etc/hosts (with a different address on each host). > > If you dont want to go that route, you could have a file with a local > definition: > > $ cat /etc/pf/local > natip="2.2.2.2" > > $ cat /etc/pf.conf > include "/etc/pf/local" > [...] > pass in on em0 to any nat-to $natip > > Then you have pf.conf identical on both machines and /etc/pf/local per > machine (and possibly generated by ansible differently on each box). Or just use a j2 template rather than a plain copied file and set it per-host from a variable in ansible. Lots of alternatives..
