On Tuesday, 03 November 2015 12:44:19 AM Kristof Provost wrote:
> > On 02 Nov 2015, at 15:07, Shawn Webb <shawn.w...@hardenedbsd.org> wrote:
> > 
> > On Monday, 02 November 2015 02:59:03 PM Kristof Provost wrote:
> >> Can you add your pf.conf too?
> >> 
> >> I’ll try upgrading my machine to something beyond 290228 to see if I can
> >> reproduce it. It’s on r289635 now, and seems to be fine. My VNET jails
> >> certainly get their traffic NATed.
> > 
> > Sorry about that! I should've included it. It's pasted here:
> > http://ix.io/lLI
> > 
> > It's probably not the most concise. This is a laptop that can have one of
> > three interfaces online: re0 (ethernet on the laptop), wlan0 (you can
> > guess
> > what that is), or ue0 (usb tethering from my phone). I used to be able to
> > specify NATing like that and pf would automatically figure out which
> > outgoing device to use. Seems like that's broken now.
> I’ve updated my machine and things still seem to be working.
> As you said, it’s probably related to the multiple nat entries.
> I’ll have to make a test setup, which’ll take a bit of time, especially
> since I’m messing with  the host machine at the moment.

I've figured it out. I've removed all rules and went with a barebones config.

Right now, the laptop I'm using for NAT has an outbound interface of wlan0 
with an IP of (from DHCP). The following line works:

nat on wlan0 from any to any ->

The following line doesn't:

nat on wlan0 from any to any -> (wlan0)

Nor does this:

nat on wlan0 from any to any -> wlan0

From the Handbook, the lines that don't work are prefered especially the first 
non-working line, since using (wlan0) would cause pf to pick up wlan0's IP 
dynamically (which is good, since wlan0 is DHCP'd).

So it seems at some point of time, doing NAT dynamically broke.

Shawn Webb

GPG Key ID:                0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to