Hi. I'm trying to dynamically insert nat-to rules inside an anchor for failover/load balancing purposes on OpenBSD 4.9. The rules get evaluated but packet/byte/state count is zero. Can somebody please tell me what I'm doing wrong?
Below are the two sets of rules I've tried, one without an anchor and another with an anchor as well as sample evaluation, packet, byte, and state counts for each nat-to rule. ### nat-to rules inside "/" ### # Rules table <rfc1918> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } pass out on vlan2 inet from <rfc1918> to ! <rfc1918> nat-to vlan2 pass out on vlan3 inet from <rfc1918> to ! <rfc1918> nat-to vlan3 pass out on vlan2 inet from vlan3 route-to (vlan3 124.107.174.129) pass out on vlan3 inet from vlan2 route-to (vlan2 116.50.188.1) # Stats pass out on vlan2 inet from <rfc1918> to ! <rfc1918> flags S/SA keep state nat-to 116.50.188.8 [ Evaluations: 2816 Packets: 187 Bytes: 53419 States: 26 ] [ Inserted: uid 0 pid 25555 State Creations: 26 ] pass out on vlan3 inet from <rfc1918> to ! <rfc1918> flags S/SA keep state nat-to 124.107.174.137 [ Evaluations: 2610 Packets: 392 Bytes: 199902 States: 22 ] [ Inserted: uid 0 pid 25555 State Creations: 22 ] ### nat-to rules inside "/WAN-NAT" ### # Rules table <rfc1918> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } anchor "WAN-NAT" { pass out on vlan2 inet from <rfc1918> to ! <rfc1918> nat-to vlan2 pass out on vlan3 inet from <rfc1918> to ! <rfc1918> nat-to vlan3 } pass out on vlan2 inet from vlan3 route-to (vlan3 124.107.174.129) pass out on vlan3 inet from vlan2 route-to (vlan2 116.50.188.1) # Stats pass out on vlan2 inet from <rfc1918> to ! <rfc1918> flags S/SA keep state nat-to 116.50.188.8 [ Evaluations: 3504 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 27150 State Creations: 0 ] pass out on vlan3 inet from <rfc1918> to ! <rfc1918> flags S/SA keep state nat-to 124.107.174.137 [ Evaluations: 3235 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 27150 State Creations: 0 ] Thanks and regards, -- Justin Jereza