Re: using first alias as masquerading ip on pf.conf
On 2020-02-12, Sebastian Benoit wrote: > Paul de Weerd(we...@weirdnet.nl) on 2020.02.12 12:46:02 +0100: >> On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote: >> | Hi all, >> | >> | I have a couple of firewalls with carp configured and I need them to >> | reach the Internet even when they are in BACKUP state. >> | I'm managing pf via Ansible/GIT, so I'd like to keep the >> | configuration of pf.conf standard and simple as much as possible. >> | >> | Usually, I use the notation "nat-to ($interface)" to let pf use the >> | correct ip, but in this case I've BGP configured and the provider >> | forces me to use a complex configuration with an alias on the >> | external interface, like this: >> | >> | # ifconfig vlan835 >> | vlan835: flags=8943 mtu >> 1500 >> |lladdr b0:26:28:1e:e6:6e >> |index 13 priority 0 llprio 3 >> |encap: vnetid 835 parent trunk0 txprio packet rxprio outer >> |groups: vlan egress >> |media: Ethernet autoselect >> |status: active >> |inet 1.1.1.1 netmask 0xfff0 broadcast 1.1.1.255 >> |inet 2.2.2.2 netmask 0xfff0 broadcast 2.2.2.255 Does the 2.2.2.2 address specifically need to be on this interface (i.e. do you need to answer ARP for it)? If not then maybe you could just put it on a loopback instead (e.g. lo1) then things are simple. >> Alternatively, you could refer to a hostname that you then specify in >> /etc/hosts (with a different address on each host). > > If you dont want to go that route, you could have a file with a local > definition: > > $ cat /etc/pf/local > natip="2.2.2.2" > > $ cat /etc/pf.conf > include "/etc/pf/local" > [...] > pass in on em0 to any nat-to $natip > > Then you have pf.conf identical on both machines and /etc/pf/local per > machine (and possibly generated by ansible differently on each box). Or just use a j2 template rather than a plain copied file and set it per-host from a variable in ansible. Lots of alternatives..
Re: using first alias as masquerading ip on pf.conf
Paul de Weerd(we...@weirdnet.nl) on 2020.02.12 12:46:02 +0100: > On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote: > | Hi all, > | > | I have a couple of firewalls with carp configured and I need them to > | reach the Internet even when they are in BACKUP state. > | I'm managing pf via Ansible/GIT, so I'd like to keep the > | configuration of pf.conf standard and simple as much as possible. > | > | Usually, I use the notation "nat-to ($interface)" to let pf use the > | correct ip, but in this case I've BGP configured and the provider > | forces me to use a complex configuration with an alias on the > | external interface, like this: > | > | # ifconfig vlan835 > | vlan835: flags=8943 mtu 1500 > | lladdr b0:26:28:1e:e6:6e > | index 13 priority 0 llprio 3 > | encap: vnetid 835 parent trunk0 txprio packet rxprio outer > | groups: vlan egress > | media: Ethernet autoselect > | status: active > | inet 1.1.1.1 netmask 0xfff0 broadcast 1.1.1.255 > | inet 2.2.2.2 netmask 0xfff0 broadcast 2.2.2.255 > > Surely the provider doesn't force 1.1.1.1 to be the "primary" and > 2.2.2.2 to the be alias? How could they tell the difference? > > | So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to > | talk with the provider's router and that I can't use as masquerading > | ip. > | > | The ip 2.2.2.2 is the one that I should use to mask my traffic to > | the Internet, and is different on each firewall. > | > | Is there a way to tell pf to use the first alias of interface to > | mask the traffic? Something like "nat-to (vlan835:1)"... > > Could you make 1.1.1.1 the alias and 2.2.2.2 the primary address? > Then your NAT rule could simply use (vlan835:0). > > Alternatively, you could refer to a hostname that you then specify in > /etc/hosts (with a different address on each host). If you dont want to go that route, you could have a file with a local definition: $ cat /etc/pf/local natip="2.2.2.2" $ cat /etc/pf.conf include "/etc/pf/local" [...] pass in on em0 to any nat-to $natip Then you have pf.conf identical on both machines and /etc/pf/local per machine (and possibly generated by ansible differently on each box). > As far as I know, there's no way to refer to the 'first alias'. What > is the 'first alias' anyway? The first one you configured? Or the > last one? Since you're using the '(interface)' specification (with > the parentheses), you're using dynamically changing addresses .. what > does that mean in the context of 'first alias'? I would stay away from the :0 syntax as much as possible. It does not do what you think it does in IPv6, and in fact there were discussions lately to remove it completly. Even tough the ifconfig manpage and command line syntax suggests, there is no difference between primary address and aliases on an interface, it's all the same to the kernel. /Benno > | I would like to keep things simple and avoid to use the include > | directive, if possible. I think its simpler than fiddeling with /etc/hosts ;) > I tend to dislike the whole IP address "aliases" thing more and more > recently... :) > > Cheers, > > Paul 'WEiRD' de Weerd > > -- > >[<++>-]<+++.>+++[<-->-]<.>+++[<+ > +++>-]<.>++[<>-]<+.--.[-] > http://www.weirdnet.nl/ > --
Re: using first alias as masquerading ip on pf.conf
On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote: | Hi all, | | I have a couple of firewalls with carp configured and I need them to | reach the Internet even when they are in BACKUP state. | I'm managing pf via Ansible/GIT, so I'd like to keep the | configuration of pf.conf standard and simple as much as possible. | | Usually, I use the notation "nat-to ($interface)" to let pf use the | correct ip, but in this case I've BGP configured and the provider | forces me to use a complex configuration with an alias on the | external interface, like this: | | # ifconfig vlan835 | vlan835: flags=8943 mtu 1500 | lladdr b0:26:28:1e:e6:6e | index 13 priority 0 llprio 3 | encap: vnetid 835 parent trunk0 txprio packet rxprio outer | groups: vlan egress | media: Ethernet autoselect | status: active | inet 1.1.1.1 netmask 0xfff0 broadcast 1.1.1.255 | inet 2.2.2.2 netmask 0xfff0 broadcast 2.2.2.255 Surely the provider doesn't force 1.1.1.1 to be the "primary" and 2.2.2.2 to the be alias? How could they tell the difference? | So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to | talk with the provider's router and that I can't use as masquerading | ip. | | The ip 2.2.2.2 is the one that I should use to mask my traffic to | the Internet, and is different on each firewall. | | Is there a way to tell pf to use the first alias of interface to | mask the traffic? Something like "nat-to (vlan835:1)"... Could you make 1.1.1.1 the alias and 2.2.2.2 the primary address? Then your NAT rule could simply use (vlan835:0). Alternatively, you could refer to a hostname that you then specify in /etc/hosts (with a different address on each host). As far as I know, there's no way to refer to the 'first alias'. What is the 'first alias' anyway? The first one you configured? Or the last one? Since you're using the '(interface)' specification (with the parentheses), you're using dynamically changing addresses .. what does that mean in the context of 'first alias'? | I would like to keep things simple and avoid to use the include | directive, if possible. I tend to dislike the whole IP address "aliases" thing more and more recently... :) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
using first alias as masquerading ip on pf.conf
Hi all, I have a couple of firewalls with carp configured and I need them to reach the Internet even when they are in BACKUP state. I'm managing pf via Ansible/GIT, so I'd like to keep the configuration of pf.conf standard and simple as much as possible. Usually, I use the notation "nat-to ($interface)" to let pf use the correct ip, but in this case I've BGP configured and the provider forces me to use a complex configuration with an alias on the external interface, like this: # ifconfig vlan835 vlan835: flags=8943 mtu 1500 lladdr b0:26:28:1e:e6:6e index 13 priority 0 llprio 3 encap: vnetid 835 parent trunk0 txprio packet rxprio outer groups: vlan egress media: Ethernet autoselect status: active inet 1.1.1.1 netmask 0xfff0 broadcast 1.1.1.255 inet 2.2.2.2 netmask 0xfff0 broadcast 2.2.2.255 So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to talk with the provider's router and that I can't use as masquerading ip. The ip 2.2.2.2 is the one that I should use to mask my traffic to the Internet, and is different on each firewall. Is there a way to tell pf to use the first alias of interface to mask the traffic? Something like "nat-to (vlan835:1)"... I would like to keep things simple and avoid to use the include directive, if possible. Thank you for your suggestions. Bye