From owner-freebsd-pf@FreeBSD.ORG  Tue Jul 28 21:31:55 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BD646106564A
	for <freebsd-pf@freebsd.org>; Tue, 28 Jul 2009 21:31:55 +0000 (UTC)
	(envelope-from elliott@mywedding.com)
Received: from smtp167.sat.emailsrvr.com (smtp167.sat.emailsrvr.com
	[66.216.121.167])
	by mx1.freebsd.org (Postfix) with ESMTP id 9BA938FC08
	for <freebsd-pf@freebsd.org>; Tue, 28 Jul 2009 21:31:55 +0000 (UTC)
	(envelope-from elliott@mywedding.com)
Received: from relay26.relay.sat.mlsrvr.com (localhost [127.0.0.1])
	by relay26.relay.sat.mlsrvr.com (SMTP Server) with ESMTP id D45F21B4007
	for <freebsd-pf@freebsd.org>; Tue, 28 Jul 2009 17:31:54 -0400 (EDT)
Received: by relay26.relay.sat.mlsrvr.com (Authenticated sender:
	elliott-AT-mywedding.com) with ESMTPSA id A7A821B4004
	for <freebsd-pf@freebsd.org>; Tue, 28 Jul 2009 17:31:54 -0400 (EDT)
Message-Id: <2B0E2B36-CB22-4C8B-B9FF-64D958B20FDA@mywedding.com>
From: Elliott Barrere <elliott@mywedding.com>
To: freebsd-pf@freebsd.org
In-Reply-To: <F8BCDF7F-400D-4134-BC62-A7BE16F40C00@mywedding.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Tue, 28 Jul 2009 14:31:53 -0700
References: <F8BCDF7F-400D-4134-BC62-A7BE16F40C00@mywedding.com>
X-Mailer: Apple Mail (2.935.3)
Subject: Re: CARP and NAT
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2009 21:31:56 -0000

Nevermind, I sorted out my issue.  The carp1 interface had multiple  
IPs assigned and PF was pulling the last one.  Adding a carp_ip  
variable and changing the NAT statement makes it work:

nat on $cable_if from $lan_net to any -> $carp_ip

This does make me wonder though more generally about when to use the  
carp interface versus the physical interface in PF.  Does anyone know  
of a guide or a good rule of thumb?

Thanks!

:: elliott barrere :: 206.855.7011 ::



On Jul 28, 2009, at 1:56 PM, Elliott Barrere wrote:

> Hi everyone, please excuse my noobiness.
>
> I have a basic firewall setup with CARP running on the LAN and WAN  
> interfaces.  CARP and pfsync seem to be functioning properly.  The  
> problem is I can't seem to figure out how to make pf NAT from the  
> internal network to the carp1 interface IP on the outside (packets  
> always end up coming from the IP of the physical interface in  
> question).
>
> I thought I could do something like:
>
> nat on $carp_if from $lan_net to any -> ($carp_if)
>
> but that doesn't work.  Can anyone provide me examples of a setup  
> using CARP and NAT?  I feel like this should be pretty common...
>
>
> Thanks!
>
> :: elliott barrere :: 206.855.7011 ::
>
>
>