Solved pf - handling wired and wireless interface

[mefizto]

Greetings all,

I have a pf on a laptop, which I have tested with either the LAN or the WLAN physical interface. However, I cannot figure out a syntax that would allow me to define both interfaces. Trying

ext_if = "{fxp0, wpi0}"

does not work, pf complains about wrong syntax of

antispoof quick for $ext_if
set loginterface $ext_if

My understanding is that pf cannot expand the

$ext_if

The only solution I can think of is to define

ext_if = "fxp0"
ext_if = "wpi0"

and comment out the unused interface. However, this is prone to frustration when I forget to do so and all of sudden network does not work.

Does anyone have a more elegant solution?

Kindest regards,

M

 

[gkontos]

That is because one interface can not be consisted by two. The only way to bypass this, assuming you want both to work as external interfaces, is to use LAG in failover mode. See here for more information.

 

[junovitch@]

You can only have one interface for the loginterface. Otherwise, the pf.conf(5) syntax would look like this:

wan_ifs = "{" gif0 em3 "}"
block drop log on $wan_ifs

 

[mefizto]

Hi gkontos,

Thank you for the reference to lagg(4). Following the example 31.3, I would then define:

ext_if="{lagg0}"

Is this correct?

Hi junovitch,

Thank you for the reply. However, looking at pf.conf(5), I cannot find/understand the double " around { and } in the first line. Can you provide a reference/explanation what is it doing?

Kindest regards,

M

 

[junovitch@]

From pf.conf(5):

           ext_if = "kue0"
           all_ifs = "{" $ext_if lo0 "}"
...
     ifspec         = ( [ "!" ] ( interface-name | interface-group ) ) |
                      "{" interface-list "}"

 

[mefizto]

Hi junovitch,

Thank you for the reply; I understand what the syntax does. I am wondering where is the explanation of the double "". I would have thought that the code should be:

ext_if = "kue0"
all_ifs = "{ $ext_if lo0 }"

i.e., single quotes.

Kindest regards,

M

 

[junovitch@]

After looking a bit closer, this is valid syntax using single quotes with defined interface names. I think the main reason you saw errors is because you can only have only interface tied to the loginterface keyword.

wan_ifs = "{ gif0 em3 }"

For the double quotes, that appears to come into play when you want to use macros. The example above with an $ext_if variable inside another macro definition is a good example of that. The pf.conf(5) explains this in a bit more detail.

Macros can be defined that will later be expanded in context. Macro names must start with a letter, and may contain letters, digits and underscores. Macro names may not be reserved words (for example pass, in, out). Macros are not expanded inside quotes.

 

[mefizto]

Hi junovitch,

thank you for the explanation.

Kindest regards,

M