Re: very difficult routing problem

[kasak]

05.06.2026 20:21, Atanas Vladimirov пишет:

On 2026-06-05 17:38, kasak wrote:

04.06.2026 23:48, Atanas Vladimirov пишет:

On 2026-06-04 21:48, kasak wrote:

Hello misc!

I have this tunnel on my router:

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1340
         index 14 priority 0 llprio 3
         groups: tun
         status: active
         inet 192.168.40.60 --> 192.168.40.60 netmask 0xffffffff

And this routes:

route -n show | grep tun

192.168.40/24      192.168.40.60      UGS        0      416    -    8 tun0 192.168.40.60      192.168.40.60      UHhl       1        2    -    1 tun0 192.168.40.60      192.168.40.60      UH         0        0    -    8 tun0

I want to route one of my local ips to this tunnel:

pass out inet from 192.168.0.150 route-to 192.168.40.1

And this work like a charm but only when remote host knows about my local 192.168.0.0/24 network.

Can I somehow first do nat-to 192.168.40.60, and after that do route-to 192.168.40.1?

To avoid having to add route on remote host?

Thank you in advance

Hi,

You just need something like this:

# NAT tun0
   match out log on tun0 inet from 192.168.0.150 \
  nat-to (tun0)

and you can drop your pass .... route-to rule

I'm afraid it's not so easy :(
pflog is silent, nothing works.

Here is full pf.conf btw:

wan=em0
lan=em1
lan_net=$lan:network

table <tv> { 192.168.0.150, 192.168.0.151, 192.168.0.119 }

set skip on lo

block return    # block stateless traffic
pass# establish keep-state

block in on egress

pass proto { icmp, ipv6-icmp }

pass in on $wan proto { tcp, udp } to port { domain, domain-s }
pass in on $wan inet proto tcp to port { www, https }

pass out on $wan inet from $lan_net nat-to $wan:0

#pass out inet from <tv> route-to 192.168.40.1
pass out log on tun0 inet from <tv> nat-to (tun0)

Okay, try this:

wan = "em0"
lan = "em1"
vpn = "tun0"
vpn_gw = "192.168.40.1"
lan_net = $lan:network

table <tv> { 192.168.0.150, 192.168.0.151, 192.168.0.119 }

set skip on lo

pass out on $wan inet from $lan_net nat-to $wan:0
match out log on $vpn inet from <tv> nat-to ($vpn)

block return
pass

block in on egress

pass proto { icmp, ipv6-icmp }

pass in on $wan proto { tcp, udp } to port { domain, domain-s }
pass in on $wan inet proto tcp to port { www, https }

pass in on $lan inet from <tv> to ! $lan_net route-to ($vpn $vpn_gw)

Thank you, it's finally working!

But I changed lines a little!

Here that it's look like now:

#tvs to vpn
pass out on tun0 inet from <tv> nat-to (tun0)
pass in on $lan inet from <tv> to ! $lan_net route-to 192.168.40.1


when it was "route-to (tun0 192.168.40.1)" pfctl returned synthax error.