If I remember right, you can run 'ifconfig' and see if that interface is marked as an egress interface or not. I can't remember how OBSD determines what interfaces are egress or not but your em0 seems to be in a private network so it might not be classifying itself as egress.
Nevertheless, writing egress or $ext_If, what difference does it really make? You're just repeating a different word. Lol On Sun, Apr 28, 2024, 12:08 PM Radek <r...@int.pl> wrote: > > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will > work as the rule you say works. > I made minor changes and tested the egress version. > > ext_if = "em0" > ext_carpif = "carp0" > int_if = "carp2" > This rule works for me: > match out log on $ext_if from $int_if:network to any nat-to $ext_carpif > > It seems it should work fine as well but it doesn't: > match out log on egress from $int_if:network to any nat-to $ext_carpif > > > On Thu, 25 Apr 2024 13:53:32 -0700 > obs...@loopw.com wrote: > > > > > > > > On Apr 25, 2024, at 10:36 AM, Radek <r...@int.pl> wrote: > > > > > > Thank you for all your hints. > > > > > >> match out on egress from $lan_if:network to any nat-to (egress:0) > > > This rule doesn't work. > > > > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will > work as the rule you say works. > > > > > > fwiw, the $lan_if came from your configs existing “match” > > > > https://www.openbsd.org/faq/pf/filter.html#syntax - under “interface” > you can find out about “egress”. I definitely prefer it to hard coding an > interface in yet another line of a pf.conf > > > > I was presuming you didnt mind matching to $ext_if’s ip for new sessions > outbound, hence (egress:0). Matching to the carp ip works. (this is > basically a source nat rule in commercial-network-vendor speak) > > > > > > > > > >> ext_if=em0 > > >> int_if=vlan2 > > >> ext_carpIf=carp0 > > > > >> match out on $ext_if inet from $int_if:network to any nat-to > $ext_carpIf > > > This rule works as expected. > > > > > Radek > >