On Tuesday, 03 November 2015 12:44:19 AM Kristof Provost wrote: > > On 02 Nov 2015, at 15:07, Shawn Webb <shawn.w...@hardenedbsd.org> wrote: > > > > On Monday, 02 November 2015 02:59:03 PM Kristof Provost wrote: > >> Can you add your pf.conf too? > >> > >> I’ll try upgrading my machine to something beyond 290228 to see if I can > >> reproduce it. It’s on r289635 now, and seems to be fine. My VNET jails > >> certainly get their traffic NATed. > > > > Sorry about that! I should've included it. It's pasted here: > > http://ix.io/lLI > > > > It's probably not the most concise. This is a laptop that can have one of > > three interfaces online: re0 (ethernet on the laptop), wlan0 (you can > > guess > > what that is), or ue0 (usb tethering from my phone). I used to be able to > > specify NATing like that and pf would automatically figure out which > > outgoing device to use. Seems like that's broken now. > > I’ve updated my machine and things still seem to be working. > As you said, it’s probably related to the multiple nat entries. > > I’ll have to make a test setup, which’ll take a bit of time, especially > since I’m messing with the host machine at the moment.
I've figured it out. I've removed all rules and went with a barebones config. Right now, the laptop I'm using for NAT has an outbound interface of wlan0 with an IP of 188.8.131.52 (from DHCP). The following line works: nat on wlan0 from any to any -> 184.108.40.206 The following line doesn't: nat on wlan0 from any to any -> (wlan0) Nor does this: nat on wlan0 from any to any -> wlan0 From the Handbook, the lines that don't work are prefered especially the first non-working line, since using (wlan0) would cause pf to pick up wlan0's IP dynamically (which is good, since wlan0 is DHCP'd). So it seems at some point of time, doing NAT dynamically broke. -- Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
Description: This is a digitally signed message part.