Hi all,

I have a couple of firewalls with carp configured and I need them to reach the Internet even when they are in BACKUP state. I'm managing pf via Ansible/GIT, so I'd like to keep the configuration of pf.conf standard and simple as much as possible.

Usually, I use the notation "nat-to ($interface)" to let pf use the correct ip, but in this case I've BGP configured and the provider forces me to use a complex configuration with an alias on the external interface, like this:

# ifconfig vlan835
        lladdr b0:26:28:1e:e6:6e
        index 13 priority 0 llprio 3
        encap: vnetid 835 parent trunk0 txprio packet rxprio outer
        groups: vlan egress
        media: Ethernet autoselect
        status: active
        inet netmask 0xfffffff0 broadcast
        inet netmask 0xfffffff0 broadcast

So, is the "transit ip" for the BGP, the one we must use to talk with the provider's router and that I can't use as masquerading ip.

The ip is the one that I should use to mask my traffic to the Internet, and is different on each firewall.

Is there a way to tell pf to use the first alias of interface to mask the traffic? Something like "nat-to (vlan835:1)"...

I would like to keep things simple and avoid to use the include directive, if possible.

Thank you for your suggestions.


Reply via email to