On 2021-12-20, beebeet...@posteo.de <beebeet...@posteo.de> wrote: > > pass out on egress from trunk:network to any nat-to egress > > pass out on egress > > Looks like you (incorrectly) assumed that first matching rule wins?
I suggest changing this to a "match ... nat-to" rule. You might want to add "inet" unkess you want to nat IPv6 as well.
