On 11/mar/09, at 20:50, David DeSimone wrote:
Gianni <[email protected]> wrote:
With the following nat rules pfctl lists duplicate entries, can
anyone
explain why this is?
ext_if = "tun0"
nat on $ext_if from $localnet to any -> ($ext_if)
no nat on $ext_if from $localnet to $vpn_nets
What is the definition of $localnet?
int_if = "vr0"
localnet = $int_if:network
From your question I now see the answer:
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
options=280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC>
inet 192.168.200.250 netmask 0xffffff00 broadcast 192.168.200.255
inet 192.168.200.249 netmask 0xffffff00 broadcast 192.168.200.255
I've got 2 ip addresses on the interface and the :network shortcut
does not take into account that they are part of the same subnet.
If I do localnet = "192.168.200.0/24" it's fine, I don't get duplicate
entries.
# pfctl -s nat
nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin
nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin
no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24
no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24
Also, don't you think you should put the "no nat" rule before the
"nat"
rules?
Yes probably!
Because first matching nat rule wins right?
Thanks
-Gianni
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
