Using separate interfaces with rdr

[lgrn]

I'm trying out Bastille, and I have a setup where I'm using two different interfaces: one regular ethernet (em0) for regular outgoing traffic, and one "vpn-interface" (let's call it vpn0) for things like monitoring to my BSD host.

As I understand it, setting ext_if in pf.conf is not only for convenience in rules using that variable, but is also assumed by Bastille to be the interface that traffic will be hitting when doing redirects (rdr). The problem for me is that I don't want to create a redirect for my ext_if, but for vpn0. So instead of:

rdr pass on em0 inet proto tcp from any to any port = 2221 -> 10.1.1.1 port 2221

I would actually want it to say something like this (vpn0):

rdr pass on vpn0 inet proto tcp from any to any port = 2221 -> 10.1.1.1 port 2221

I can't find any way to set an interface when using bastille rdr, so I'm assuming this functionality doesn't exist and always assumes ext_if -- but is it possible in any sane way? Should I not use bastille rdr at all, and instead and just set something up in pf.conf, and if so any suggestions on what?

I don't think simply changing ext_if is a good idea, because this vpn0 interface does not have regular Internet access.

[adriel-tech]

Bastille rdr does not work on secondary interfaces. What I've been doing for a few years is what you are suggesting here.
An example I manually add rdr rules to pf.conf passing on my mesh vpn interface.

rdr pass on $zt_if inet proto tcp from any to $zt_if port 445 -> 10.10.10.11 port 445

Assuming this is a cloud VM or something, I would suggest leaving the default ext_if alone and manually setting all the RDRs in pf.conf for your vpn interface, which is what I do. If this server is on a lan, you can use bastille rdr as normal for lan access but manually do RDRs for your VPN. Having an interface option to rdr would be a nice feature though.