From 5a08b3e0bd7191a6f2a70188c8213d4b25b7d788 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sun, 6 Oct 2024 21:34:12 -0400
Subject: [PATCH] Update command to route private kubernetes services.

---
 ansible/roles/firewall/files/mrmanager_pf.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/firewall/files/mrmanager_pf.conf b/ansible/roles/firewall/files/mrmanager_pf.conf
index 0e1e43a..e4cc0f0 100644
--- a/ansible/roles/firewall/files/mrmanager_pf.conf
+++ b/ansible/roles/firewall/files/mrmanager_pf.conf
@@ -33,7 +33,7 @@ scrub in on $ext_if all fragment reassemble
 
 # redirections
 nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
-rdr pass proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
+rdr pass on jail_nat proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
 
 rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 -> 10.215.1.204 port 6443
 rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
@@ -63,6 +63,7 @@ pass quick on $allow
 
 # Single interface kubernetes cluster is working with the following run on mrmanager:
 #   doas route add -host 74.80.180.139 -interface jail_nat
+#   doas route add -net 10.129.0.0/16 -interface jail_nat
 #   doas sysctl net.link.ether.inet.proxyall=1
 # Plus this in pf.conf:
 #   pass quick from any to 74.80.180.139