No way natting-to carp interface

Paquitiu Tue, 13 Mar 2012 09:39:49 -0700

Hi.
The issue is simple, I can't match the outgoing traffic to carp ip address.
When I go to some "show myip" web, it always appears the pysical one. 
Never the carp one.


As my ISP provider gives us 4 ips, I use two (one for each nic of the firewalls
connected to internet) for physical interfaces and the other two for the carp
interfaces.
                                  

                                      Internet
                                         |
                   +--------------------/ \------------------+
                   |         carp13(em0) = 81.92.37.13       |
                   |         carp12(em0) = 81.92.37.12       |
                   |                                         |
      81.92.37.10 bge0                                      bge0 81.92.37.11
                   |                                         |
               +-------+                    10.0.0.2     +-------+
               |  fw0  |- re0 ---- CARP Pfsync ---- re0 -|  fw1  |
               +-------+  10.0.0.1                       +-------+
                   |                                         |
    192.168.28.1 bge1                                       bge1 192.169.28.2
                   |                                         |
                   |         carp28(em1) = 192.168.28.11     |
                   +--------------------\ /------------------+
                                         |
                                   Internal LAN 
                                  (192.168.28/24)


Config files(from one of the two firewalls):

hostname.bge0
inet 81.92.37.10 255.255.255.248 NONE

hostname.bge1
inet 192.168.28.1 255.255.255.0 NONE

hostname.carp12
inet 81.92.37.12 255.255.255.248 81.92.37.15 balancing ip carpnodes
120:0,121:100 pass PaSSWord12

hostname.carp13
inet 81.92.37.12 255.255.255.248 81.92.37.15 balancing ip carpnodes
130:100,131:0 pass PaSSWord13

hostname.carp28
inet 192.168.28.11 255.255.255.0 192.168.28.255 balancing ip carpnodes
28:0,29:100 pass PaSSWord28

hostname.re0
inet 10.0.0.1 255.255.255.0 NONE

hostname.pfsync0
up syncdev re0

sysctl.conf
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
net.inet.icmp.rediraccept=1     # 1=Accept ICMP redirects
net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
net.inet.carp.log=3             # log level of carp(4) info, default 2
net.inet.carp.allow=1
net.inet.carp.arpbalance=0

pf.conf
priv_nets= "{127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8}"
set block-policy drop
set skip on lo

#Nat outgoing connections
match out on $ext_IF inet from !$ext_IF to any nat-to $ext_IF

#This does not work: match out on $ext_IF inet from !$ext_IF to any nat-to 
carp12

#Filter rules
block log all
block in quick from urpf-failed         #spoofed address protection

#packet normaliztion
match in all scrub (no-df)

pass quick log on re0 inet proto pfsync keep state (no-sync)
pass in quick log on $ext_IF proto carp from carp12 to 224.0.0.18 keep state
pass in quick log on $ext_IF proto carp from carp13 to 224.0.0.18 keep state
pass in quick log on $int_IF proto carp from carp28 to 224.0.0.18 keep state
pass on { $int_IF , $ext_IF } proto carp keep state (no-sync)

block in quick on $ext_IF from $priv_nets to any
block out quick on $ext_IF from any to $priv_nets
block quick inet6

No way natting-to carp interface

Reply via email to