I have a couple of firewalls with carp configured and I need them to
reach the Internet even when they are in BACKUP state.
I'm managing pf via Ansible/GIT, so I'd like to keep the configuration
of pf.conf standard and simple as much as possible.
Usually, I use the notation "nat-to ($interface)" to let pf use the
correct ip, but in this case I've BGP configured and the provider forces
me to use a complex configuration with an alias on the external
interface, like this:
# ifconfig vlan835
vlan835: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
index 13 priority 0 llprio 3
encap: vnetid 835 parent trunk0 txprio packet rxprio outer
groups: vlan egress
media: Ethernet autoselect
inet 220.127.116.11 netmask 0xfffffff0 broadcast 18.104.22.168
inet 22.214.171.124 netmask 0xfffffff0 broadcast 126.96.36.199
So, 188.8.131.52 is the "transit ip" for the BGP, the one we must use to talk
with the provider's router and that I can't use as masquerading ip.
The ip 184.108.40.206 is the one that I should use to mask my traffic to the
Internet, and is different on each firewall.
Is there a way to tell pf to use the first alias of interface to mask
the traffic? Something like "nat-to (vlan835:1)"...
I would like to keep things simple and avoid to use the include
directive, if possible.
Thank you for your suggestions.