> On Apr 25, 2024, at 10:36 AM, Radek <r...@int.pl> wrote:
>
> Thank you for all your hints.
>
>> match out on egress from $lan_if:network to any nat-to (egress:0)
> This rule doesn't work.
change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work
as the rule you say works.
fwiw, the $lan_if came from your configs existing “match”
https://www.openbsd.org/faq/pf/filter.html#syntax - under “interface” you can
find out about “egress”. I definitely prefer it to hard coding an interface in
yet another line of a pf.conf
I was presuming you didnt mind matching to $ext_if’s ip for new sessions
outbound, hence (egress:0). Matching to the carp ip works. (this is basically
a source nat rule in commercial-network-vendor speak)
>
>> ext_if=em0
>> int_if=vlan2
>> ext_carpIf=carp0
>> match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf
> This rule works as expected.
