using first alias as masquerading ip on pf.conf

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

using first alias as masquerading ip on pf.conf

Federico Donati
Hi all,

I have a couple of firewalls with carp configured and I need them to
reach the Internet even when they are in BACKUP state.
I'm managing pf via Ansible/GIT, so I'd like to keep the configuration
of pf.conf standard and simple as much as possible.

Usually, I use the notation "nat-to ($interface)" to let pf use the
correct ip, but in this case I've BGP configured and the provider forces
me to use a complex configuration with an alias on the external
interface, like this:

# ifconfig vlan835
vlan835: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr b0:26:28:1e:e6:6e
        index 13 priority 0 llprio 3
        encap: vnetid 835 parent trunk0 txprio packet rxprio outer
        groups: vlan egress
        media: Ethernet autoselect
        status: active
        inet 1.1.1.1 netmask 0xfffffff0 broadcast 1.1.1.255
        inet 2.2.2.2 netmask 0xfffffff0 broadcast 2.2.2.255

So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to talk
with the provider's router and that I can't use as masquerading ip.

The ip 2.2.2.2 is the one that I should use to mask my traffic to the
Internet, and is different on each firewall.

Is there a way to tell pf to use the first alias of interface to mask
the traffic? Something like "nat-to (vlan835:1)"...

I would like to keep things simple and avoid to use the include
directive, if possible.

Thank you for your suggestions.

Bye

Reply | Threaded
Open this post in threaded view
|

Re: using first alias as masquerading ip on pf.conf

Paul de Weerd
On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote:
| Hi all,
|
| I have a couple of firewalls with carp configured and I need them to
| reach the Internet even when they are in BACKUP state.
| I'm managing pf via Ansible/GIT, so I'd like to keep the
| configuration of pf.conf standard and simple as much as possible.
|
| Usually, I use the notation "nat-to ($interface)" to let pf use the
| correct ip, but in this case I've BGP configured and the provider
| forces me to use a complex configuration with an alias on the
| external interface, like this:
|
| # ifconfig vlan835
| vlan835: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
| lladdr b0:26:28:1e:e6:6e
| index 13 priority 0 llprio 3
| encap: vnetid 835 parent trunk0 txprio packet rxprio outer
| groups: vlan egress
| media: Ethernet autoselect
| status: active
| inet 1.1.1.1 netmask 0xfffffff0 broadcast 1.1.1.255
| inet 2.2.2.2 netmask 0xfffffff0 broadcast 2.2.2.255

Surely the provider doesn't force 1.1.1.1 to be the "primary" and
2.2.2.2 to the be alias?  How could they tell the difference?

| So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to
| talk with the provider's router and that I can't use as masquerading
| ip.
|
| The ip 2.2.2.2 is the one that I should use to mask my traffic to
| the Internet, and is different on each firewall.
|
| Is there a way to tell pf to use the first alias of interface to
| mask the traffic? Something like "nat-to (vlan835:1)"...

Could you make 1.1.1.1 the alias and 2.2.2.2 the primary address?
Then your NAT rule could simply use (vlan835:0).

Alternatively, you could refer to a hostname that you then specify in
/etc/hosts (with a different address on each host).

As far as I know, there's no way to refer to the 'first alias'.  What
is the 'first alias' anyway?  The first one you configured?  Or the
last one?  Since you're using the '(interface)' specification (with
the parentheses), you're using dynamically changing addresses .. what
does that mean in the context of 'first alias'?

| I would like to keep things simple and avoid to use the include
| directive, if possible.

I tend to dislike the whole IP address "aliases" thing more and more
recently... :)

Cheers,

Paul 'WEiRD' de Weerd

--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/                 

Reply | Threaded
Open this post in threaded view
|

Re: using first alias as masquerading ip on pf.conf

Sebastian Benoit
Paul de Weerd([hidden email]) on 2020.02.12 12:46:02 +0100:

> On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote:
> | Hi all,
> |
> | I have a couple of firewalls with carp configured and I need them to
> | reach the Internet even when they are in BACKUP state.
> | I'm managing pf via Ansible/GIT, so I'd like to keep the
> | configuration of pf.conf standard and simple as much as possible.
> |
> | Usually, I use the notation "nat-to ($interface)" to let pf use the
> | correct ip, but in this case I've BGP configured and the provider
> | forces me to use a complex configuration with an alias on the
> | external interface, like this:
> |
> | # ifconfig vlan835
> | vlan835: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> | lladdr b0:26:28:1e:e6:6e
> | index 13 priority 0 llprio 3
> | encap: vnetid 835 parent trunk0 txprio packet rxprio outer
> | groups: vlan egress
> | media: Ethernet autoselect
> | status: active
> | inet 1.1.1.1 netmask 0xfffffff0 broadcast 1.1.1.255
> | inet 2.2.2.2 netmask 0xfffffff0 broadcast 2.2.2.255
>
> Surely the provider doesn't force 1.1.1.1 to be the "primary" and
> 2.2.2.2 to the be alias?  How could they tell the difference?
>
> | So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to
> | talk with the provider's router and that I can't use as masquerading
> | ip.
> |
> | The ip 2.2.2.2 is the one that I should use to mask my traffic to
> | the Internet, and is different on each firewall.
> |
> | Is there a way to tell pf to use the first alias of interface to
> | mask the traffic? Something like "nat-to (vlan835:1)"...
>
> Could you make 1.1.1.1 the alias and 2.2.2.2 the primary address?
> Then your NAT rule could simply use (vlan835:0).
>
> Alternatively, you could refer to a hostname that you then specify in
> /etc/hosts (with a different address on each host).

If you dont want to go that route, you could have a file with a local
definition:

$ cat /etc/pf/local
natip="2.2.2.2"

$ cat /etc/pf.conf
include "/etc/pf/local"
[...]
pass in on em0 to any nat-to $natip

Then you have pf.conf identical on both machines and /etc/pf/local per
machine (and possibly generated by ansible differently on each box).

> As far as I know, there's no way to refer to the 'first alias'.  What
> is the 'first alias' anyway?  The first one you configured?  Or the
> last one?  Since you're using the '(interface)' specification (with
> the parentheses), you're using dynamically changing addresses .. what
> does that mean in the context of 'first alias'?

I would stay away from the :0 syntax as much as possible. It does not do
what you think it does in IPv6, and in fact there were discussions lately to
remove it completly. Even tough the ifconfig manpage and command line syntax
suggests, there is no difference between primary address and aliases on an
interface, it's all the same to the kernel.

/Benno

> | I would like to keep things simple and avoid to use the include
> | directive, if possible.

I think its simpler than fiddeling with /etc/hosts ;)
 

> I tend to dislike the whole IP address "aliases" thing more and more
> recently... :)
>
> Cheers,
>
> Paul 'WEiRD' de Weerd
>
> --
> >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
> +++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
>                  http://www.weirdnet.nl/                 
>

--

Reply | Threaded
Open this post in threaded view
|

Re: using first alias as masquerading ip on pf.conf

Stuart Henderson
On 2020-02-12, Sebastian Benoit <[hidden email]> wrote:

> Paul de Weerd([hidden email]) on 2020.02.12 12:46:02 +0100:
>> On Wed, Feb 12, 2020 at 12:09:12PM +0100, Federico Donati wrote:
>> | Hi all,
>> |
>> | I have a couple of firewalls with carp configured and I need them to
>> | reach the Internet even when they are in BACKUP state.
>> | I'm managing pf via Ansible/GIT, so I'd like to keep the
>> | configuration of pf.conf standard and simple as much as possible.
>> |
>> | Usually, I use the notation "nat-to ($interface)" to let pf use the
>> | correct ip, but in this case I've BGP configured and the provider
>> | forces me to use a complex configuration with an alias on the
>> | external interface, like this:
>> |
>> | # ifconfig vlan835
>> | vlan835: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
>> | lladdr b0:26:28:1e:e6:6e
>> | index 13 priority 0 llprio 3
>> | encap: vnetid 835 parent trunk0 txprio packet rxprio outer
>> | groups: vlan egress
>> | media: Ethernet autoselect
>> | status: active
>> | inet 1.1.1.1 netmask 0xfffffff0 broadcast 1.1.1.255
>> | inet 2.2.2.2 netmask 0xfffffff0 broadcast 2.2.2.255

Does the 2.2.2.2 address specifically need to be on this interface (i.e.
do you need to answer ARP for it)? If not then maybe you could just put
it on a loopback instead (e.g. lo1) then things are simple.

>> Alternatively, you could refer to a hostname that you then specify in
>> /etc/hosts (with a different address on each host).
>
> If you dont want to go that route, you could have a file with a local
> definition:
>
> $ cat /etc/pf/local
> natip="2.2.2.2"
>
> $ cat /etc/pf.conf
> include "/etc/pf/local"
> [...]
> pass in on em0 to any nat-to $natip
>
> Then you have pf.conf identical on both machines and /etc/pf/local per
> machine (and possibly generated by ansible differently on each box).

Or just use a j2 template rather than a plain copied file and set it
per-host from a variable in ansible. Lots of alternatives..