Re: using first alias as masquerading ip on pf.conf

Wed, 12 Feb 2020 03:47:24 -0800 

On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote:
| Hi all,
| 
| I have a couple of firewalls with carp configured and I need them to
| reach the Internet even when they are in BACKUP state.
| I'm managing pf via Ansible/GIT, so I'd like to keep the
| configuration of pf.conf standard and simple as much as possible.
| 
| Usually, I use the notation "nat-to ($interface)" to let pf use the
| correct ip, but in this case I've BGP configured and the provider
| forces me to use a complex configuration with an alias on the
| external interface, like this:
| 
| # ifconfig vlan835
| vlan835: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
|       lladdr b0:26:28:1e:e6:6e
|       index 13 priority 0 llprio 3
|       encap: vnetid 835 parent trunk0 txprio packet rxprio outer
|       groups: vlan egress
|       media: Ethernet autoselect
|       status: active
|       inet 1.1.1.1 netmask 0xfffffff0 broadcast 1.1.1.255
|       inet 2.2.2.2 netmask 0xfffffff0 broadcast 2.2.2.255

Surely the provider doesn't force 1.1.1.1 to be the "primary" and
2.2.2.2 to the be alias?  How could they tell the difference?

| So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to
| talk with the provider's router and that I can't use as masquerading
| ip.
| 
| The ip 2.2.2.2 is the one that I should use to mask my traffic to
| the Internet, and is different on each firewall.
| 
| Is there a way to tell pf to use the first alias of interface to
| mask the traffic? Something like "nat-to (vlan835:1)"...

Could you make 1.1.1.1 the alias and 2.2.2.2 the primary address?
Then your NAT rule could simply use (vlan835:0).

Alternatively, you could refer to a hostname that you then specify in
/etc/hosts (with a different address on each host).

As far as I know, there's no way to refer to the 'first alias'.  What
is the 'first alias' anyway?  The first one you configured?  Or the
last one?  Since you're using the '(interface)' specification (with
the parentheses), you're using dynamically changing addresses .. what
does that mean in the context of 'first alias'?

| I would like to keep things simple and avoid to use the include
| directive, if possible.

I tend to dislike the whole IP address "aliases" thing more and more
recently... :)

Cheers,

Paul 'WEiRD' de Weerd

-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/

Reply via email to