Re: NAT on CARP interface

[Radek]

> Nevertheless, writing egress or $ext_If, what difference does it really
> make? You're just repeating a different word. Lol
It doesn't make any difference for me. 

Being curious I added em0 do egress group and restarted all intefaces. However, 
em0 seems not to be in ergess group and the rule with egress still doesn't 
work: 
match out log on egress from $int_if:network to any nat-to $ext_carpif

# cat /etc/hostname.em0
-inet
group egress
up

# ifconfig em0
em0: flags=8b43 mtu 
1500
lladdr 00:0d:b9:59:e0:90
index 1 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active

# ifconfig egress
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
description: WAN_KRZ
index 7 priority 15 llprio 3
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
groups: carp egress
status: master
inet 10.0.15.216 netmask 0xff00 broadcast 10.0.15.255

# ifconfig carp0
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
description: WAN_KRZ
index 7 priority 15 llprio 3
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
groups: carp egress
status: master
inet 10.0.15.216 netmask 0xff00 broadcast 10.0.15.255

> Does that rule you posted error out or are you just seeing blocks with it?
Just seeing blocks.

> https://www.openbsd.org/faq/pf/filter.html#syntax
> 
> "The egress group, which contains the interface(s) that holds the default 
> route(s)."
So.. carp0 contains default route, carp0 is in egress group.
carp0 refers to em0.
But...
match out log on carp0... - doesn't work
match out log on egress... - doesn't work
match out log on em0... - works!
I dont know...

On Sun, 28 Apr 2024 13:44:05 -0400
Mike  wrote:

> Oh now I remember, you might need to add it to the egress interface group.
> 
> Does that rule you posted error out or are you just seeing blocks with it?
> 
> 
> On Sun, Apr 28, 2024, 12:49 PM Mike  wrote:
> 
> > If I remember right, you can run 'ifconfig' and see if that interface is
> > marked as an egress interface or not. I can't remember how OBSD determines
> > what interfaces are egress or not but your em0 seems to be in a private
> > network so it might not be classifying itself as egress.
> >
> > Nevertheless, writing egress or $ext_If, what difference does it really
> > make? You're just repeating a different word. Lol
> >
> > On Sun, Apr 28, 2024, 12:08 PM Radek  wrote:
> >
> >> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it
> >> will work as the rule you say works.
> >> I made minor changes and tested the egress version.
> >>
> >> ext_if = "em0"
> >> ext_carpif = "carp0"
> >> int_if = "carp2"
> >> This rule works for me:
> >> match out log on $ext_if from $int_if:network to any nat-to $ext_carpif
> >>
> >> It seems it should work fine as well but it doesn't:
> >> match out log on egress from $int_if:network to any nat-to $ext_carpif
> >>
> >>
> >> On Thu, 25 Apr 2024 13:53:32 -0700
> >> obs...@loopw.com wrote:
> >>
> >> >
> >> >
> >> > > On Apr 25, 2024, at 10:36 AM, Radek  wrote:
> >> > >
> >> > > Thank you for all your hints.
> >> > >
> >> > >> match out on egress from $lan_if:network to any nat-to (egress:0)
> >> > > This rule doesn't work.
> >> >
> >> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it
> >> will work as the rule you say works.
> >> >
> >> >
> >> > fwiw, the $lan_if came from your configs existing “match”
> >> >
> >> > https://www.openbsd.org/faq/pf/filter.html#syntax  - under “interface”
> >> you can find out about “egress”.  I definitely prefer it to hard coding an
> >> interface in yet another line of a pf.conf
> >> >
> >> > I was presuming you didnt mind matching to $ext_if’s ip for new
> >> sessions outbound, hence (egress:0).  Matching to the carp ip works.  (this
> >> is basically a source nat rule in commercial-network-vendor speak)
> >> >
> >> >
> >> > >
> >> > >> ext_if=em0
> >> > >> int_if=vlan2
> >> > >> ext_carpIf=carp0
> >> >
> >> > >> match out on $ext_if inet from $int_if:network to any nat-to
> >> $ext_carpIf
> >> > > This rule works as expected.
> >> >
> >>
> >>
> >> Radek
> >>
> >>


Radek

Re: NAT on CARP interface

[Mike]

Oh now I remember, you might need to add it to the egress interface group.

Does that rule you posted error out or are you just seeing blocks with it?


On Sun, Apr 28, 2024, 12:49 PM Mike  wrote:

> If I remember right, you can run 'ifconfig' and see if that interface is
> marked as an egress interface or not. I can't remember how OBSD determines
> what interfaces are egress or not but your em0 seems to be in a private
> network so it might not be classifying itself as egress.
>
> Nevertheless, writing egress or $ext_If, what difference does it really
> make? You're just repeating a different word. Lol
>
> On Sun, Apr 28, 2024, 12:08 PM Radek  wrote:
>
>> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it
>> will work as the rule you say works.
>> I made minor changes and tested the egress version.
>>
>> ext_if = "em0"
>> ext_carpif = "carp0"
>> int_if = "carp2"
>> This rule works for me:
>> match out log on $ext_if from $int_if:network to any nat-to $ext_carpif
>>
>> It seems it should work fine as well but it doesn't:
>> match out log on egress from $int_if:network to any nat-to $ext_carpif
>>
>>
>> On Thu, 25 Apr 2024 13:53:32 -0700
>> obs...@loopw.com wrote:
>>
>> >
>> >
>> > > On Apr 25, 2024, at 10:36 AM, Radek  wrote:
>> > >
>> > > Thank you for all your hints.
>> > >
>> > >> match out on egress from $lan_if:network to any nat-to (egress:0)
>> > > This rule doesn't work.
>> >
>> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it
>> will work as the rule you say works.
>> >
>> >
>> > fwiw, the $lan_if came from your configs existing “match”
>> >
>> > https://www.openbsd.org/faq/pf/filter.html#syntax  - under “interface”
>> you can find out about “egress”.  I definitely prefer it to hard coding an
>> interface in yet another line of a pf.conf
>> >
>> > I was presuming you didnt mind matching to $ext_if’s ip for new
>> sessions outbound, hence (egress:0).  Matching to the carp ip works.  (this
>> is basically a source nat rule in commercial-network-vendor speak)
>> >
>> >
>> > >
>> > >> ext_if=em0
>> > >> int_if=vlan2
>> > >> ext_carpIf=carp0
>> >
>> > >> match out on $ext_if inet from $int_if:network to any nat-to
>> $ext_carpIf
>> > > This rule works as expected.
>> >
>>
>>
>> Radek
>>
>>

Re: NAT on CARP interface

[Brian Conway]

On Sun, Apr 28, 2024, at 11:49 AM, Mike wrote:
> If I remember right, you can run 'ifconfig' and see if that interface 
> is marked as an egress interface or not. I can't remember how OBSD 
> determines what interfaces are egress or not but your em0 seems to be 

https://www.openbsd.org/faq/pf/filter.html#syntax

"The egress group, which contains the interface(s) that holds the default 
route(s)."

> in a private network so it might not be classifying itself as egress. 
>
> Nevertheless, writing egress or $ext_If, what difference does it really 
> make? You're just repeating a different word. Lol

Brian Conway
Owner
RCE Software, LLC

Re: NAT on CARP interface

[Mike]

If I remember right, you can run 'ifconfig' and see if that interface is
marked as an egress interface or not. I can't remember how OBSD determines
what interfaces are egress or not but your em0 seems to be in a private
network so it might not be classifying itself as egress.

Nevertheless, writing egress or $ext_If, what difference does it really
make? You're just repeating a different word. Lol

On Sun, Apr 28, 2024, 12:08 PM Radek  wrote:

> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will
> work as the rule you say works.
> I made minor changes and tested the egress version.
>
> ext_if = "em0"
> ext_carpif = "carp0"
> int_if = "carp2"
> This rule works for me:
> match out log on $ext_if from $int_if:network to any nat-to $ext_carpif
>
> It seems it should work fine as well but it doesn't:
> match out log on egress from $int_if:network to any nat-to $ext_carpif
>
>
> On Thu, 25 Apr 2024 13:53:32 -0700
> obs...@loopw.com wrote:
>
> >
> >
> > > On Apr 25, 2024, at 10:36 AM, Radek  wrote:
> > >
> > > Thank you for all your hints.
> > >
> > >> match out on egress from $lan_if:network to any nat-to (egress:0)
> > > This rule doesn't work.
> >
> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will
> work as the rule you say works.
> >
> >
> > fwiw, the $lan_if came from your configs existing “match”
> >
> > https://www.openbsd.org/faq/pf/filter.html#syntax  - under “interface”
> you can find out about “egress”.  I definitely prefer it to hard coding an
> interface in yet another line of a pf.conf
> >
> > I was presuming you didnt mind matching to $ext_if’s ip for new sessions
> outbound, hence (egress:0).  Matching to the carp ip works.  (this is
> basically a source nat rule in commercial-network-vendor speak)
> >
> >
> > >
> > >> ext_if=em0
> > >> int_if=vlan2
> > >> ext_carpIf=carp0
> >
> > >> match out on $ext_if inet from $int_if:network to any nat-to
> $ext_carpIf
> > > This rule works as expected.
> >
>
>
> Radek
>
>

Re: NAT on CARP interface

[Radek]

> change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work 
> as the rule you say works.
I made minor changes and tested the egress version.

ext_if = "em0"
ext_carpif = "carp0"
int_if = "carp2"
This rule works for me:
match out log on $ext_if from $int_if:network to any nat-to $ext_carpif

It seems it should work fine as well but it doesn't:
match out log on egress from $int_if:network to any nat-to $ext_carpif


On Thu, 25 Apr 2024 13:53:32 -0700
obs...@loopw.com wrote:

> 
> 
> > On Apr 25, 2024, at 10:36 AM, Radek  wrote:
> > 
> > Thank you for all your hints.
> > 
> >> match out on egress from $lan_if:network to any nat-to (egress:0)
> > This rule doesn't work.
> 
> change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work 
> as the rule you say works.
> 
> 
> fwiw, the $lan_if came from your configs existing “match”
> 
> https://www.openbsd.org/faq/pf/filter.html#syntax  - under “interface” you 
> can find out about “egress”.  I definitely prefer it to hard coding an 
> interface in yet another line of a pf.conf
> 
> I was presuming you didnt mind matching to $ext_if’s ip for new sessions 
> outbound, hence (egress:0).  Matching to the carp ip works.  (this is 
> basically a source nat rule in commercial-network-vendor speak)
> 
> 
> > 
> >> ext_if=em0
> >> int_if=vlan2
> >> ext_carpIf=carp0
> 
> >> match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf
> > This rule works as expected.
> 


Radek

Re: NAT on CARP interface

[obsdml]

> On Apr 25, 2024, at 10:36 AM, Radek  wrote:
> 
> Thank you for all your hints.
> 
>> match out on egress from $lan_if:network to any nat-to (egress:0)
> This rule doesn't work.

change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work 
as the rule you say works.


fwiw, the $lan_if came from your configs existing “match”

https://www.openbsd.org/faq/pf/filter.html#syntax  - under “interface” you can 
find out about “egress”.  I definitely prefer it to hard coding an interface in 
yet another line of a pf.conf

I was presuming you didnt mind matching to $ext_if’s ip for new sessions 
outbound, hence (egress:0).  Matching to the carp ip works.  (this is basically 
a source nat rule in commercial-network-vendor speak)


> 
>> ext_if=em0
>> int_if=vlan2
>> ext_carpIf=carp0

>> match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf
> This rule works as expected.

Re: NAT on CARP interface

[Radek]

Thank you for all your hints.
 
> match out on egress from $lan_if:network to any nat-to (egress:0)
This rule doesn't work.

> ext_if=em0
> int_if=vlan2
> ext_carpIf=carp0
> match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf
This rule works as expected.


On Wed, 24 Apr 2024 17:14:49 -0400
Mike  wrote:

> This command should help but you may need to add some "log" to your rules:
> 
> tcpdump -nettti pflog0 will probably tell you.
> 
> I don't have a bsd VM around to test but your int_if and ext_if should
> still refer to the underlying interface, not the carp.
> 
> I'd change:
> 
> ext_if=em0
> int_if=vlan2
> ext_carpIf=carp0
> 
> match out on $ext_if inet from 10.0.2.0/24 to any nat-to $ext_carpIf
> 
> 
> 
> 
> 
> 
> On Wed, Apr 24, 2024, 4:50 PM Radek  wrote:
> 
> > Hi everyone,
> > it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm
> > trying to configure the master box. On the LAN side I have created carp2 on
> > vlan2 interface and it works as expected.
> > On the WAN side I can't figure out how to make NAT work on carp0 interface.
> > Can someone tell me where I have the wrong or missing configuration?
> >
> > OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
> > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > # cat /etc/hostname.em1
> > -inet
> > up
> >
> > # cat /etc/hostname.vlan2
> > -inet
> > vnetid 2 parent em1 description "Interface VLAN-KRZ_LAN" up
> >
> > # cat /etc/hostname.carp2
> > -inet
> > inet 10.0.2.254 255.255.255.0 NONE vhid 2 advbase 1 advskew 0 carpdev
> > vlan2 pass test54321
> >
> >
> > # cat /etc/hostname.em0
> > -inet
> > up
> >
> > # cat /etc/hostname.carp0
> > -inet
> > inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1
> > advskew 0 carpdev em0 pass test678
> >
> >
> > # cat /etc/pf.conf
> > ext_if = "carp0"
> > lan_if = "carp2"
> > pfsync_if = "em3"
> > internal_if = "vlan1010"
> > set skip on { lo0 vlan em3}
> > # pfsync and carp
> > pass quick on { $pfsync_if } proto pfsync #keep state (no-sync)
> > pass on { $internal_if } proto carp keep state (no-sync)
> > # nat
> > match out on $ext_if from $lan_if:network to any nat-to $ext_if
> > pass out
> >
> > # pfctl -s rules
> > pass quick on em3 proto pfsync all
> > pass on vlan1010 proto carp all keep state (no-sync)
> > match out on carp0 inet from 10.0.2.0/24 to any nat-to 10.0.15.216
> > pass out all flags S/SA
> >
> > # route -n show
> > Routing tables
> >
> > Internet:
> > DestinationGatewayFlags   Refs  Use   Mtu  Prio
> > Iface
> > 224/4  127.0.0.1  URS0   72 32768 8 lo0
> > 10.0.2/24  10.0.2.254 UCn10 -19
> > carp2
> > 10.0.2.201 18:03:73:b4:fa:c1  UHLc   011815 -18
> > carp2
> > 10.0.2.254 00:00:5e:00:01:02  UHLl   0   36 - 1
> > carp2
> > 10.0.2.255 10.0.2.254 UHb04 - 1
> > carp2
> > [snip]
> >
> > Radek
> >
> >


Radek

Re: NAT on CARP interface

[obsdml]

try using egress and not carp0 on your match out rule.  you’re not technically 
sending out on the carp interface, only receiving.


make your match rule like this:

match out on egress from $lan_if:network to any nat-to (egress:0)



> On Apr 24, 2024, at 11:05 AM, Radek  wrote:
> 
> Hi everyone,
> it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm 
> trying to configure the master box. On the LAN side I have created carp2 on 
> vlan2 interface and it works as expected.
> On the WAN side I can't figure out how to make NAT work on carp0 interface.
> Can someone tell me where I have the wrong or missing configuration?
> 
> OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
>dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> 
> # cat /etc/hostname.em1
> -inet
> up
> 
> # cat /etc/hostname.vlan2
> -inet
> vnetid 2 parent em1 description "Interface VLAN-KRZ_LAN" up
> 
> # cat /etc/hostname.carp2
> -inet
> inet 10.0.2.254 255.255.255.0 NONE vhid 2 advbase 1 advskew 0 carpdev vlan2 
> pass test54321
> 
> 
> # cat /etc/hostname.em0
> -inet
> up
> 
> # cat /etc/hostname.carp0
> -inet
> inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1 
> advskew 0 carpdev em0 pass test678
> 
> 
> # cat /etc/pf.conf
> ext_if = "carp0"
> lan_if = "carp2"
> pfsync_if = "em3"
> internal_if = "vlan1010"
> set skip on { lo0 vlan em3}
> # pfsync and carp
> pass quick on { $pfsync_if } proto pfsync #keep state (no-sync)
> pass on { $internal_if } proto carp keep state (no-sync)
> # nat
> match out on $ext_if from $lan_if:network to any nat-to $ext_if
> pass out
> 
> # pfctl -s rules
> pass quick on em3 proto pfsync all
> pass on vlan1010 proto carp all keep state (no-sync)
> match out on carp0 inet from 10.0.2.0/24 to any nat-to 10.0.15.216
> pass out all flags S/SA
> 
> # route -n show
> Routing tables
> 
> Internet:
> DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
> 224/4  127.0.0.1  URS0   72 32768 8 lo0
> 10.0.2/24  10.0.2.254 UCn10 -19 carp2
> 10.0.2.201 18:03:73:b4:fa:c1  UHLc   011815 -18 carp2
> 10.0.2.254 00:00:5e:00:01:02  UHLl   0   36 - 1 carp2
> 10.0.2.255 10.0.2.254 UHb04 - 1 carp2
> [snip]
> 
> Radek

Re: NAT on CARP interface

[Mike]

This command should help but you may need to add some "log" to your rules:

tcpdump -nettti pflog0 will probably tell you.

I don't have a bsd VM around to test but your int_if and ext_if should
still refer to the underlying interface, not the carp.

I'd change:

ext_if=em0
int_if=vlan2
ext_carpIf=carp0

match out on $ext_if inet from 10.0.2.0/24 to any nat-to $ext_carpIf






On Wed, Apr 24, 2024, 4:50 PM Radek  wrote:

> Hi everyone,
> it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm
> trying to configure the master box. On the LAN side I have created carp2 on
> vlan2 interface and it works as expected.
> On the WAN side I can't figure out how to make NAT work on carp0 interface.
> Can someone tell me where I have the wrong or missing configuration?
>
> OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> # cat /etc/hostname.em1
> -inet
> up
>
> # cat /etc/hostname.vlan2
> -inet
> vnetid 2 parent em1 description "Interface VLAN-KRZ_LAN" up
>
> # cat /etc/hostname.carp2
> -inet
> inet 10.0.2.254 255.255.255.0 NONE vhid 2 advbase 1 advskew 0 carpdev
> vlan2 pass test54321
>
>
> # cat /etc/hostname.em0
> -inet
> up
>
> # cat /etc/hostname.carp0
> -inet
> inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1
> advskew 0 carpdev em0 pass test678
>
>
> # cat /etc/pf.conf
> ext_if = "carp0"
> lan_if = "carp2"
> pfsync_if = "em3"
> internal_if = "vlan1010"
> set skip on { lo0 vlan em3}
> # pfsync and carp
> pass quick on { $pfsync_if } proto pfsync #keep state (no-sync)
> pass on { $internal_if } proto carp keep state (no-sync)
> # nat
> match out on $ext_if from $lan_if:network to any nat-to $ext_if
> pass out
>
> # pfctl -s rules
> pass quick on em3 proto pfsync all
> pass on vlan1010 proto carp all keep state (no-sync)
> match out on carp0 inet from 10.0.2.0/24 to any nat-to 10.0.15.216
> pass out all flags S/SA
>
> # route -n show
> Routing tables
>
> Internet:
> DestinationGatewayFlags   Refs  Use   Mtu  Prio
> Iface
> 224/4  127.0.0.1  URS0   72 32768 8 lo0
> 10.0.2/24  10.0.2.254 UCn10 -19
> carp2
> 10.0.2.201 18:03:73:b4:fa:c1  UHLc   011815 -18
> carp2
> 10.0.2.254 00:00:5e:00:01:02  UHLl   0   36 - 1
> carp2
> 10.0.2.255 10.0.2.254 UHb04 - 1
> carp2
> [snip]
>
> Radek
>
>

NAT on CARP interface

[Radek]

Hi everyone,
it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm trying 
to configure the master box. On the LAN side I have created carp2 on vlan2 
interface and it works as expected.
On the WAN side I can't figure out how to make NAT work on carp0 interface.
Can someone tell me where I have the wrong or missing configuration?

OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

# cat /etc/hostname.em1
-inet
up

# cat /etc/hostname.vlan2
-inet
vnetid 2 parent em1 description "Interface VLAN-KRZ_LAN" up

# cat /etc/hostname.carp2
-inet
inet 10.0.2.254 255.255.255.0 NONE vhid 2 advbase 1 advskew 0 carpdev vlan2 
pass test54321


# cat /etc/hostname.em0
-inet
up

# cat /etc/hostname.carp0
-inet
inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1 
advskew 0 carpdev em0 pass test678


# cat /etc/pf.conf
ext_if = "carp0"
lan_if = "carp2"
pfsync_if = "em3"
internal_if = "vlan1010"
set skip on { lo0 vlan em3}
# pfsync and carp
pass quick on { $pfsync_if } proto pfsync #keep state (no-sync)
pass on { $internal_if } proto carp keep state (no-sync)
# nat
match out on $ext_if from $lan_if:network to any nat-to $ext_if
pass out

# pfctl -s rules
pass quick on em3 proto pfsync all
pass on vlan1010 proto carp all keep state (no-sync)
match out on carp0 inet from 10.0.2.0/24 to any nat-to 10.0.15.216
pass out all flags S/SA

# route -n show
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
224/4  127.0.0.1  URS0   72 32768 8 lo0
10.0.2/24  10.0.2.254 UCn10 -19 carp2
10.0.2.201 18:03:73:b4:fa:c1  UHLc   011815 -18 carp2
10.0.2.254 00:00:5e:00:01:02  UHLl   0   36 - 1 carp2
10.0.2.255 10.0.2.254 UHb04 - 1 carp2
[snip]

Radek