On Thu, 17 Jan 2019 at 23:24, Bruno Dantas <[email protected]> wrote: [...] > pass out proto {tcp udp} to any port 22022 route-to athn0 > > and this: > > pass out proto {tcp udp} to any port 22022 route-to \ > $athn0_gateway > > But both result in ssh authentication attempts to hang at > "debug1: Connecting to..." then timing out.
On point-to-point links just interface name is sufficient but this is not so with broadcast media. Ethernet is broadcast media, thus only specifying interface would further involve ARP to find target node on that interface's media. If it was an external node then no internal network node would respond to such ARP request -- unless it's doing Proxy ARP (which is separate subject). For outside scope nodes proper gateways are supposed to be used instead. Pf has to be told which gateway it should use with given interface. All-in-all, something like that would solve that problem for you: pass out quick proto tcp from (self) to port 22 route-to (athn0 $athn0_gateway) nat-to (athn0) More clearer design would be based on separate routing tables though. -- End of message. Next message?
