Oh now I remember, you might need to add it to the egress interface group. Does that rule you posted error out or are you just seeing blocks with it?
On Sun, Apr 28, 2024, 12:49 PM Mike <rizzz2...@gmail.com> wrote: > If I remember right, you can run 'ifconfig' and see if that interface is > marked as an egress interface or not. I can't remember how OBSD determines > what interfaces are egress or not but your em0 seems to be in a private > network so it might not be classifying itself as egress. > > Nevertheless, writing egress or $ext_If, what difference does it really > make? You're just repeating a different word. Lol > > On Sun, Apr 28, 2024, 12:08 PM Radek <r...@int.pl> wrote: > >> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it >> will work as the rule you say works. >> I made minor changes and tested the egress version. >> >> ext_if = "em0" >> ext_carpif = "carp0" >> int_if = "carp2" >> This rule works for me: >> match out log on $ext_if from $int_if:network to any nat-to $ext_carpif >> >> It seems it should work fine as well but it doesn't: >> match out log on egress from $int_if:network to any nat-to $ext_carpif >> >> >> On Thu, 25 Apr 2024 13:53:32 -0700 >> obs...@loopw.com wrote: >> >> > >> > >> > > On Apr 25, 2024, at 10:36 AM, Radek <r...@int.pl> wrote: >> > > >> > > Thank you for all your hints. >> > > >> > >> match out on egress from $lan_if:network to any nat-to (egress:0) >> > > This rule doesn't work. >> > >> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it >> will work as the rule you say works. >> > >> > >> > fwiw, the $lan_if came from your configs existing “match” >> > >> > https://www.openbsd.org/faq/pf/filter.html#syntax - under “interface” >> you can find out about “egress”. I definitely prefer it to hard coding an >> interface in yet another line of a pf.conf >> > >> > I was presuming you didnt mind matching to $ext_if’s ip for new >> sessions outbound, hence (egress:0). Matching to the carp ip works. (this >> is basically a source nat rule in commercial-network-vendor speak) >> > >> > >> > > >> > >> ext_if=em0 >> > >> int_if=vlan2 >> > >> ext_carpIf=carp0 >> > >> > >> match out on $ext_if inet from $int_if:network to any nat-to >> $ext_carpIf >> > > This rule works as expected. >> > >> >> >> Radek >> >>
