Try something like this in pf.conf: pass in on hvn1 proto tcp from <allowed_ssh> to (hvn1) port 22 reply-to 10.0.0.1@hvn1
The reason you have to do this is because you have the same router address on hvn0 and hvn1 (10.0.0.1). Another option is to use route tables. Let me know if you have any questions. I run a lot of OpenBSD in Azure. -Brian > On Apr 26, 2020, at 12:03 PM, 4642 <4...@protonmail.com> wrote: > > Hi, I have created a OpenBSD 6.6 VM in the Azures cloud that I plan to use > as a Firewall, I had planned on using carp but I can't get it working in > Azure so I think I can use an Internal load balancer to achieve my aim of > having two redundany OBSD Firewalls in Azure. The problem I have is that the > Azure Internal Load Balancer requires a health probe to work. So I create a > load balancer health probe and set it to the SSH service on my FW Host and > set it to every 5 seconds. I can see the traffic on my FW but the health > probe doesn't work and I think it's because the traffic from the Azure > discover ip "168.63.129.16" that is doing the probe is coming from within the > azure nextwork, hitting my internal nic and then onto the ssh service ? and > then finally leaving but on the external interface. > > tcpdump -n -e -ttt -i pflog0 -v > tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > Apr 26 15:59:30.082436 rule 1/(match) [uid 0, pid 44293] block out on hvn0: > [orig src 10.x.x.36:22, dst 168.63.129.16:54762] 10.x.x.4.65324 > > 168.63.129.16.54762: S [bad tcp cksum 9d0b! -> 9e14] 252441079:252441079(0) > ack 3958895254 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6> (DF) (ttl 64, > id 2960, len 52, bad ip cksum 0! -> 52f0) > > Rule 1 = block log all > 168.63.129.16 = Azure Discovery Address > 10.x.x.4 = My External IP on hvn0 > 10.x.x.36 = My Internal IP on hvn1 > > I tried changing the state rules to allow the traffic out on the external > interface and I thought I had it working earlier today by changing > state-policy from if-bound to floating but I can't reproduce that again for > some reason... anyway it didn't seem to work. > I think I really just need to force the traffic back out the Internal > interface but I just don't know how to do that ? > > If anyone could help me it would be really appreciated. > Thanks > > Keith
