Hi everyone,
it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm trying
to configure the master box. On the LAN side I have created carp2 on vlan2
interface and it works as expected.
On the WAN side I can't figure out how to make NAT work on carp0 interface.
Can someone tell me where I have the wrong or missing configuration?
OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
# cat /etc/hostname.em1
-inet
up
# cat /etc/hostname.vlan2
-inet
vnetid 2 parent em1 description "Interface VLAN-KRZ_LAN" up
# cat /etc/hostname.carp2
-inet
inet 10.0.2.254 255.255.255.0 NONE vhid 2 advbase 1 advskew 0 carpdev vlan2
pass test54321
# cat /etc/hostname.em0
-inet
up
# cat /etc/hostname.carp0
-inet
inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1
advskew 0 carpdev em0 pass test678
# cat /etc/pf.conf
ext_if = "carp0"
lan_if = "carp2"
pfsync_if = "em3"
internal_if = "vlan1010"
set skip on { lo0 vlan em3}
# pfsync and carp
pass quick on { $pfsync_if } proto pfsync #keep state (no-sync)
pass on { $internal_if } proto carp keep state (no-sync)
# nat
match out on $ext_if from $lan_if:network to any nat-to $ext_if
pass out
# pfctl -s rules
pass quick on em3 proto pfsync all
pass on vlan1010 proto carp all keep state (no-sync)
match out on carp0 inet from 10.0.2.0/24 to any nat-to 10.0.15.216
pass out all flags S/SA
# route -n show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
224/4 127.0.0.1 URS 0 72 32768 8 lo0
10.0.2/24 10.0.2.254 UCn 1 0 - 19 carp2
10.0.2.201 18:03:73:b4:fa:c1 UHLc 0 11815 - 18 carp2
10.0.2.254 00:00:5e:00:01:02 UHLl 0 36 - 1 carp2
10.0.2.255 10.0.2.254 UHb 0 4 - 1 carp2
[snip]
Radek
