Jay L. T. Cornwall wrote:

Even without 'block out all', the simple presence of:
  pass out quick on $bridge_if

Causes NAT to stop. tcpdump on vr1 shows that packets with private IPs
are passing to the WAN (and being filtered upstream). What is causing
NAT to stop functioning by the presence of a loose rule? Does the
default 'pass all' have additional flags necessary for NAT to function
correctly?

OK, I've solved this. Kind of.

By setting the sysctl net.link.bridge.pfil_bridge to 0 from its default 1 the 'pass out' rule no longer breaks NAT. Oddly, a 'pass in' rule on bridge0 is still required even though if_bridge(4) would suggest otherwise:

net.link.bridge.pfil_bridge  Set to 1 to enable filtering on the bridge
                             interface, set to 0 to disable it.

OK, whatever. :)

--
Jay L. T. Cornwall
http://www.jcornwall.me.uk/
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to