> change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work > as the rule you say works. I made minor changes and tested the egress version.
ext_if = "em0" ext_carpif = "carp0" int_if = "carp2" This rule works for me: match out log on $ext_if from $int_if:network to any nat-to $ext_carpif It seems it should work fine as well but it doesn't: match out log on egress from $int_if:network to any nat-to $ext_carpif On Thu, 25 Apr 2024 13:53:32 -0700 obs...@loopw.com wrote: > > > > On Apr 25, 2024, at 10:36 AM, Radek <r...@int.pl> wrote: > > > > Thank you for all your hints. > > > >> match out on egress from $lan_if:network to any nat-to (egress:0) > > This rule doesn't work. > > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work > as the rule you say works. > > > fwiw, the $lan_if came from your configs existing “match” > > https://www.openbsd.org/faq/pf/filter.html#syntax - under “interface” you > can find out about “egress”. I definitely prefer it to hard coding an > interface in yet another line of a pf.conf > > I was presuming you didnt mind matching to $ext_if’s ip for new sessions > outbound, hence (egress:0). Matching to the carp ip works. (this is > basically a source nat rule in commercial-network-vendor speak) > > > > > >> ext_if=em0 > >> int_if=vlan2 > >> ext_carpIf=carp0 > > >> match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf > > This rule works as expected. > Radek
