I have the requirement to NAT one address to 1 of 2 possible destination addresses for a large number of devices. So I have 3 address pools which are composed of these blocks:
10.10.0.0/16 (well known address pool) 10.11.0.0/16 (NAT'd pool A) 10.12.0.0/16 (NAT'd pool B) Target devices allocate addresses from pool A or pool B depending on network conditions and they are always assigned the same host bits in the address. For example device X will always be assigned 10.11.100.100 or 10.12.100.100. In either case this corresponds to the well known address 10.10.100.100. Obviously only one of device X's addresses from pools A & B will be active at any particular time. I think I can use 2 pf tables, one for pool A and one for pool B, by moving the well known address to the corresponding pool at runtime using pfctl and applying rules based on table contents? Correct me if I'm wrong. I'd also like to use carp and pfsync so that I have pair of these systems for redundancy. The man-page for pfsync states that it "exposes certain state changes" for synchronization purposes. Are change to pf tables considered parts of pf's state? Or will I need to update tables on both systems running pf in order to keep the tables in sync? Thank you for your time, Wayne
