Re: NAT on CARP interface

Wed, 24 Apr 2024 14:15:53 -0700 

This command should help but you may need to add some "log" to your rules:

tcpdump -nettti pflog0 will probably tell you.

I don't have a bsd VM around to test but your int_if and ext_if should
still refer to the underlying interface, not the carp.

I'd change:

ext_if=em0
int_if=vlan2
ext_carpIf=carp0

match out on $ext_if inet from 10.0.2.0/24 to any nat-to $ext_carpIf






On Wed, Apr 24, 2024, 4:50 PM Radek <r...@int.pl> wrote:

> Hi everyone,
> it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm
> trying to configure the master box. On the LAN side I have created carp2 on
> vlan2 interface and it works as expected.
> On the WAN side I can't figure out how to make NAT work on carp0 interface.
> Can someone tell me where I have the wrong or missing configuration?
>
> OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
>     dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> # cat /etc/hostname.em1
> -inet
> up
>
> # cat /etc/hostname.vlan2
> -inet
> vnetid 2 parent em1 description "Interface VLAN-KRZ_LAN" up
>
> # cat /etc/hostname.carp2
> -inet
> inet 10.0.2.254 255.255.255.0 NONE vhid 2 advbase 1 advskew 0 carpdev
> vlan2 pass test54321
>
>
> # cat /etc/hostname.em0
> -inet
> up
>
> # cat /etc/hostname.carp0
> -inet
> inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1
> advskew 0 carpdev em0 pass test678
>
>
> # cat /etc/pf.conf
> ext_if = "carp0"
> lan_if = "carp2"
> pfsync_if = "em3"
> internal_if = "vlan1010"
> set skip on { lo0 vlan em3}
> # pfsync and carp
> pass quick on { $pfsync_if } proto pfsync #keep state (no-sync)
> pass on { $internal_if } proto carp keep state (no-sync)
> # nat
> match out on $ext_if from $lan_if:network to any nat-to $ext_if
> pass out
>
> # pfctl -s rules
> pass quick on em3 proto pfsync all
> pass on vlan1010 proto carp all keep state (no-sync)
> match out on carp0 inet from 10.0.2.0/24 to any nat-to 10.0.15.216
> pass out all flags S/SA
>
> # route -n show
> Routing tables
>
> Internet:
> Destination        Gateway            Flags   Refs      Use   Mtu  Prio
> Iface
> 224/4              127.0.0.1          URS        0       72 32768     8 lo0
> 10.0.2/24          10.0.2.254         UCn        1        0     -    19
> carp2
> 10.0.2.201         18:03:73:b4:fa:c1  UHLc       0    11815     -    18
> carp2
> 10.0.2.254         00:00:5e:00:01:02  UHLl       0       36     -     1
> carp2
> 10.0.2.255         10.0.2.254         UHb        0        4     -     1
> carp2
> [snip]
>
> Radek
>
>

Reply via email to