On 2015/05/08 11:45, Erwin Schliske wrote:
> >
> > Can you just use this?
> >
> > ike esp from {192.168.10.0/24 (192.168.0.0/22)} to 10.78.1.0/24 [...]
> >
> > This would mean that 192.168.0.0/24 is covered in the flow as well, but
> > unless you also have a matching NAT rule, packets from 192.168.0.0 won't
> > make it through.
>
>
> This would do it with my example. In real life I have subnets from 10/8 and
> 172.16/12 range. So this workaround is unfortunately not possible.
It might possibly work with 0.0.0.0/0 (though obviously this requires
more care with pf rules). I've done similar but it fits into 192/6 so it
avoids the possible corner case of a /0 prefix length.
