Hi folks!
I'm trying to NAT with CARP addresses, but it doesn't work. I have the following configuration:
Interfaces / Devices / VLAN
Device vlan0.250 [management]
Parent em1 (aa:bb:cc:dd:ee:ff) [LAN]
VLAN tag 250
VLAN priority Best Effort (0, default)
Description mgmt
Interfaces / Assignments
Interface [management]
Identifier opt13
Device vlan0.250 mgmt (Parent: em1, Tag: 250)
Interfaces / [management]
Basic configuration
Enable Enable Interface
Description management
Generic configuration
IPv4 Configuration Type Static IPv4
Static IPv4 configuration
IPv4 address 10.89.250.2 / 24
Interfaces / Virtual IPs / Settings
Network / Address 10.89.250.1 / 24
VHID Group 250 (freq. 1/0)
Interface management
Mode CARP
Firewall / NAT / Outbound
Mode
Manual outbound NAT rule generation (no automatic rules are being generated)
Manual rules
Interface management
Source management net
Source Port *
Destination *
Destination Port *
NAT Address some public IP
NAT Port *
Static Port No
However, the address from the 10.89.250/24 doesn't get masqueraded as I can see using tcpdump. What am I doing wrong or missing?
Greetings,
Fabiano
Ok, probably found the source of the issue:
# pfctl -s nat | grep carp
no nat proto carp all
no rdr proto carp all
- How can I (persistently) remove these PF rules?
- What is the reason to add these by default in the first place?
Greetings,
Fabiano
The CARP protocol itself runs over multicast and must never be NATed so these rules are correct. You can of course NAT all regular traffic to your CARP address just fine.
Ah, thanks for the hint.
However, it still doesn't work! Here's my setup:
# pfctl -s nat | grep vlan0.250
nat on vlan0.250 inet from (vlan0.250:network) to any -> 1.2.3.4 port 1024:65535
# ifconfig vlan0.250
vlan0.250: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: management (opt13)
options=4000000<MEXTPG>
ether 00:22:4d:84:77:29
inet 10.89.250.3 netmask 0xffffff00 broadcast 10.89.250.255
inet 10.89.250.1 netmask 0xffffff00 broadcast 10.89.250.255 vhid 250
groups: vlan
carp: MASTER vhid 250 advbase 1 advskew 0
peer 224.0.0.18 peer6 ff02::12
vlan: 250 vlanproto: 802.1q vlanpcp: 0 parent interface: em1
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
# tcpdump -i vlan0.250 -c 2 host 8.8.8.8
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vlan0.250, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:08:00.024830 IP 10.89.250.42 > dns.google: ICMP echo request, id 2845, seq 1, length 64
13:08:00.027434 IP dns.google > 10.89.250.42: ICMP echo reply, id 2845, seq 1, length 64
2 packets captured
30 packets received by filter
0 packets dropped by kernel
This is fine so far, but the address is not masqueraded:
# tcpdump -i em0 -c 2 host 8.8.8.8
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on em0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:08:26.491733 IP 10.89.250.42 > dns.google: ICMP echo request, id 2846, seq 1, length 64
13:08:26.494192 IP dns.google > 10.89.250.42: ICMP echo reply, id 2846, seq 1, length 64
2 packets captured
335 packets received by filter
0 packets dropped by kernel
How can I make this work?
Maybe you selected the wrong interface for the Outbound NAT rule? I would expect it to be on WAN.