> Nevertheless, writing egress or $ext_If, what difference does it really
> make? You're just repeating a different word. Lol
It doesn't make any difference for me.
Being curious I added em0 do egress group and restarted all intefaces. However,
em0 seems not to be in ergess group and the rule with egress still doesn't
work:
match out log on egress from $int_if:network to any nat-to $ext_carpif
# cat /etc/hostname.em0
-inet
group egress
up
# ifconfig em0
em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu
1500
lladdr 00:0d:b9:59:e0:90
index 1 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
# ifconfig egress
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
description: WAN_KRZ
index 7 priority 15 llprio 3
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
groups: carp egress
status: master
inet 10.0.15.216 netmask 0xffffff00 broadcast 10.0.15.255
# ifconfig carp0
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
description: WAN_KRZ
index 7 priority 15 llprio 3
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
groups: carp egress
status: master
inet 10.0.15.216 netmask 0xffffff00 broadcast 10.0.15.255
> Does that rule you posted error out or are you just seeing blocks with it?
Just seeing blocks.
> https://www.openbsd.org/faq/pf/filter.html#syntax
>
> "The egress group, which contains the interface(s) that holds the default
> route(s)."
So.. carp0 contains default route, carp0 is in egress group.
carp0 refers to em0.
But...
match out log on carp0... - doesn't work
match out log on egress... - doesn't work
match out log on em0... - works!
I dont know...
On Sun, 28 Apr 2024 13:44:05 -0400
Mike <rizzz2...@gmail.com> wrote:
> Oh now I remember, you might need to add it to the egress interface group.
>
> Does that rule you posted error out or are you just seeing blocks with it?
>
>
> On Sun, Apr 28, 2024, 12:49 PM Mike <rizzz2...@gmail.com> wrote:
>
> > If I remember right, you can run 'ifconfig' and see if that interface is
> > marked as an egress interface or not. I can't remember how OBSD determines
> > what interfaces are egress or not but your em0 seems to be in a private
> > network so it might not be classifying itself as egress.
> >
> > Nevertheless, writing egress or $ext_If, what difference does it really
> > make? You're just repeating a different word. Lol
> >
> > On Sun, Apr 28, 2024, 12:08 PM Radek <r...@int.pl> wrote:
> >
> >> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it
> >> will work as the rule you say works.
> >> I made minor changes and tested the egress version.
> >>
> >> ext_if = "em0"
> >> ext_carpif = "carp0"
> >> int_if = "carp2"
> >> This rule works for me:
> >> match out log on $ext_if from $int_if:network to any nat-to $ext_carpif
> >>
> >> It seems it should work fine as well but it doesn't:
> >> match out log on egress from $int_if:network to any nat-to $ext_carpif
> >>
> >>
> >> On Thu, 25 Apr 2024 13:53:32 -0700
> >> obs...@loopw.com wrote:
> >>
> >> >
> >> >
> >> > > On Apr 25, 2024, at 10:36 AM, Radek <r...@int.pl> wrote:
> >> > >
> >> > > Thank you for all your hints.
> >> > >
> >> > >> match out on egress from $lan_if:network to any nat-to (egress:0)
> >> > > This rule doesn't work.
> >> >
> >> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it
> >> will work as the rule you say works.
> >> >
> >> >
> >> > fwiw, the $lan_if came from your configs existing “match”
> >> >
> >> > https://www.openbsd.org/faq/pf/filter.html#syntax - under “interface”
> >> you can find out about “egress”. I definitely prefer it to hard coding an
> >> interface in yet another line of a pf.conf
> >> >
> >> > I was presuming you didnt mind matching to $ext_if’s ip for new
> >> sessions outbound, hence (egress:0). Matching to the carp ip works. (this
> >> is basically a source nat rule in commercial-network-vendor speak)
> >> >
> >> >
> >> > >
> >> > >> ext_if=em0
> >> > >> int_if=vlan2
> >> > >> ext_carpIf=carp0
> >> >
> >> > >> match out on $ext_if inet from $int_if:network to any nat-to
> >> $ext_carpIf
> >> > > This rule works as expected.
> >> >
> >>
> >>
> >> Radek
> >>
> >>
Radek
