On Friday 18 April 2008 22:23:28 Jay L. T. Cornwall wrote: > Jay L. T. Cornwall wrote: > > Even without 'block out all', the simple presence of: > > pass out quick on $bridge_if > > > > Causes NAT to stop. tcpdump on vr1 shows that packets with private > > IPs are passing to the WAN (and being filtered upstream). What is > > causing NAT to stop functioning by the presence of a loose rule? Does > > the default 'pass all' have additional flags necessary for NAT to > > function correctly? > > OK, I've solved this. Kind of. > > By setting the sysctl net.link.bridge.pfil_bridge to 0 from its default > 1 the 'pass out' rule no longer breaks NAT. Oddly, a 'pass in' rule on > bridge0 is still required even though if_bridge(4) would suggest > otherwise: > > net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge > interface, set to 0 to disable it. > > OK, whatever. :)
fintering on a bridge is a bit tricky. I think what happend in your scenario is that a state was created for the flow on *IN* bridge0 which would then prevent NAT from happening. Would you be up to share your complete working setup for future reference? -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
