Re: NAT on CARP interface

Wed, 24 Apr 2024 15:08:28 -0700 

try using egress and not carp0 on your match out rule.  you’re not technically 
sending out on the carp interface, only receiving.


make your match rule like this:

match out on egress from $lan_if:network to any nat-to (egress:0)



> On Apr 24, 2024, at 11:05 AM, Radek <r...@int.pl> wrote:
> 
> Hi everyone,
> it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm 
> trying to configure the master box. On the LAN side I have created carp2 on 
> vlan2 interface and it works as expected.
> On the WAN side I can't figure out how to make NAT work on carp0 interface.
> Can someone tell me where I have the wrong or missing configuration?
> 
> OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
>    dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> 
> # cat /etc/hostname.em1
> -inet
> up
> 
> # cat /etc/hostname.vlan2
> -inet
> vnetid 2 parent em1 description "Interface VLAN-KRZ_LAN" up
> 
> # cat /etc/hostname.carp2
> -inet
> inet 10.0.2.254 255.255.255.0 NONE vhid 2 advbase 1 advskew 0 carpdev vlan2 
> pass test54321
> 
> 
> # cat /etc/hostname.em0
> -inet
> up
> 
> # cat /etc/hostname.carp0
> -inet
> inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1 
> advskew 0 carpdev em0 pass test678
> 
> 
> # cat /etc/pf.conf
> ext_if = "carp0"
> lan_if = "carp2"
> pfsync_if = "em3"
> internal_if = "vlan1010"
> set skip on { lo0 vlan em3}
> # pfsync and carp
> pass quick on { $pfsync_if } proto pfsync #keep state (no-sync)
> pass on { $internal_if } proto carp keep state (no-sync)
> # nat
> match out on $ext_if from $lan_if:network to any nat-to $ext_if
> pass out
> 
> # pfctl -s rules
> pass quick on em3 proto pfsync all
> pass on vlan1010 proto carp all keep state (no-sync)
> match out on carp0 inet from 10.0.2.0/24 to any nat-to 10.0.15.216
> pass out all flags S/SA
> 
> # route -n show
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
> 224/4              127.0.0.1          URS        0       72 32768     8 lo0
> 10.0.2/24          10.0.2.254         UCn        1        0     -    19 carp2
> 10.0.2.201         18:03:73:b4:fa:c1  UHLc       0    11815     -    18 carp2
> 10.0.2.254         00:00:5e:00:01:02  UHLl       0       36     -     1 carp2
> 10.0.2.255         10.0.2.254         UHb        0        4     -     1 carp2
> [snip]
> 
> Radek

Reply via email to