On Thu, May 11, 2023 at 07:27:22AM +1000, Jonathan Matthew wrote: > > This looks like the thing I ran into a while ago where I had an overly > broad nat-to rule for outgoing traffic that applied to traffic from the > host as well as the networks behind it. This meant dhcpleased's unicast > packets appeared to come from a high port, so my provider's dhcp server > rejected them. It looks like David is actually using the same provider > as me. > > If there's a pf rule like 'match out on $iface nat-to ($iface)', making > that only apply to traffic received on another interface will probably > help.
The nat rule I have match out on egress nat-to (egress)