On Wed, Aug 28, 2019 at 4:39 PM Bernd Naumann <bena@xxxxxxxxxxxxxxx> wrote: > > Hi, > > I want to setup a firewall HA cluster providing SNAT/Masquerade for > clients. > > From `man iptables-extensions` (1.6.1, kernel 4.19) I know that it is > not possible to specify a src addr for `-j MASQUERADE`, but `SNAT` > provides `--to-source`. And `MASQUERADE` only uses the first/primary > address of the outgoing interface, right? > > So SNAT is the only option here? > Hi, yes SNAT is preferred. > Question: The cluster would run as active/backup, and in case of an > fail-over it would simply sync internal and external caches and > fail-over the secondary (virtual) address? > > Are there any other options? > The target CLUSTERIP can be used for active/active. Check it out. Cheers.