Hi all,

I have a couple of firewalls with carp configured and I need them to reach the Internet even when they are in BACKUP state. I'm managing pf via Ansible/GIT, so I'd like to keep the configuration of pf.conf standard and simple as much as possible.

Usually, I use the notation "nat-to ($interface)" to let pf use the correct ip, but in this case I've BGP configured and the provider forces me to use a complex configuration with an alias on the external interface, like this:

# ifconfig vlan835
vlan835: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr b0:26:28:1e:e6:6e
        index 13 priority 0 llprio 3
        encap: vnetid 835 parent trunk0 txprio packet rxprio outer
        groups: vlan egress
        media: Ethernet autoselect
        status: active
        inet 1.1.1.1 netmask 0xfffffff0 broadcast 1.1.1.255
        inet 2.2.2.2 netmask 0xfffffff0 broadcast 2.2.2.255

So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to talk with the provider's router and that I can't use as masquerading ip.

The ip 2.2.2.2 is the one that I should use to mask my traffic to the Internet, and is different on each firewall.

Is there a way to tell pf to use the first alias of interface to mask the traffic? Something like "nat-to (vlan835:1)"...

I would like to keep things simple and avoid to use the include directive, if possible.

Thank you for your suggestions.

Bye

Reply via email to