Hi all,
I have a couple of firewalls with carp configured and I need them to
reach the Internet even when they are in BACKUP state.
I'm managing pf via Ansible/GIT, so I'd like to keep the configuration
of pf.conf standard and simple as much as possible.
Usually, I use the notation "nat-to ($interface)" to let pf use the
correct ip, but in this case I've BGP configured and the provider forces
me to use a complex configuration with an alias on the external
interface, like this:
# ifconfig vlan835
vlan835: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr b0:26:28:1e:e6:6e
index 13 priority 0 llprio 3
encap: vnetid 835 parent trunk0 txprio packet rxprio outer
groups: vlan egress
media: Ethernet autoselect
status: active
inet 1.1.1.1 netmask 0xfffffff0 broadcast 1.1.1.255
inet 2.2.2.2 netmask 0xfffffff0 broadcast 2.2.2.255
So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to talk
with the provider's router and that I can't use as masquerading ip.
The ip 2.2.2.2 is the one that I should use to mask my traffic to the
Internet, and is different on each firewall.
Is there a way to tell pf to use the first alias of interface to mask
the traffic? Something like "nat-to (vlan835:1)"...
I would like to keep things simple and avoid to use the include
directive, if possible.
Thank you for your suggestions.
Bye
