Thank you for all your hints.
> match out on egress from $lan_if:network to any nat-to (egress:0)
This rule doesn't work.
> ext_if=em0
> int_if=vlan2
> ext_carpIf=carp0
> match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf
This rule works as expected.
On Wed, 24 Apr 2024 17:14:49 -0400
Mike <rizzz2...@gmail.com> wrote:
> This command should help but you may need to add some "log" to your rules:
>
> tcpdump -nettti pflog0 will probably tell you.
>
> I don't have a bsd VM around to test but your int_if and ext_if should
> still refer to the underlying interface, not the carp.
>
> I'd change:
>
> ext_if=em0
> int_if=vlan2
> ext_carpIf=carp0
>
> match out on $ext_if inet from 10.0.2.0/24 to any nat-to $ext_carpIf
>
>
>
>
>
>
> On Wed, Apr 24, 2024, 4:50 PM Radek <r...@int.pl> wrote:
>
> > Hi everyone,
> > it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm
> > trying to configure the master box. On the LAN side I have created carp2 on
> > vlan2 interface and it works as expected.
> > On the WAN side I can't figure out how to make NAT work on carp0 interface.
> > Can someone tell me where I have the wrong or missing configuration?
> >
> > OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
> > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > # cat /etc/hostname.em1
> > -inet
> > up
> >
> > # cat /etc/hostname.vlan2
> > -inet
> > vnetid 2 parent em1 description "Interface VLAN-KRZ_LAN" up
> >
> > # cat /etc/hostname.carp2
> > -inet
> > inet 10.0.2.254 255.255.255.0 NONE vhid 2 advbase 1 advskew 0 carpdev
> > vlan2 pass test54321
> >
> >
> > # cat /etc/hostname.em0
> > -inet
> > up
> >
> > # cat /etc/hostname.carp0
> > -inet
> > inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1
> > advskew 0 carpdev em0 pass test678
> >
> >
> > # cat /etc/pf.conf
> > ext_if = "carp0"
> > lan_if = "carp2"
> > pfsync_if = "em3"
> > internal_if = "vlan1010"
> > set skip on { lo0 vlan em3}
> > # pfsync and carp
> > pass quick on { $pfsync_if } proto pfsync #keep state (no-sync)
> > pass on { $internal_if } proto carp keep state (no-sync)
> > # nat
> > match out on $ext_if from $lan_if:network to any nat-to $ext_if
> > pass out
> >
> > # pfctl -s rules
> > pass quick on em3 proto pfsync all
> > pass on vlan1010 proto carp all keep state (no-sync)
> > match out on carp0 inet from 10.0.2.0/24 to any nat-to 10.0.15.216
> > pass out all flags S/SA
> >
> > # route -n show
> > Routing tables
> >
> > Internet:
> > Destination Gateway Flags Refs Use Mtu Prio
> > Iface
> > 224/4 127.0.0.1 URS 0 72 32768 8 lo0
> > 10.0.2/24 10.0.2.254 UCn 1 0 - 19
> > carp2
> > 10.0.2.201 18:03:73:b4:fa:c1 UHLc 0 11815 - 18
> > carp2
> > 10.0.2.254 00:00:5e:00:01:02 UHLl 0 36 - 1
> > carp2
> > 10.0.2.255 10.0.2.254 UHb 0 4 - 1
> > carp2
> > [snip]
> >
> > Radek
> >
> >
Radek
