On Wednesday 16 July 2008, Marco Fretz wrote: > pf nat rule: > nat log on bge0 inet from 172.16.12.128/27 tag natted -> 88.82.xx.xx > > pf filter rule: > pass log quick all flags S/SA keep state tagged natted
FWIW, you no longer need to specify "flags S/SA keep state" as it is the default. It does work here, or my packets would not end up in the proper queues. > the packed is dropped by my default deny rule (the rule does never > match). i think the packet does not get the tag "natted". any ideas? > them same thing with rdr rules is woking fine. > nat and rdr is done before filtering, right? so if the connection > gets natted the tag should be present in the filter section...? > (thats what i read in the FAQ) The FAQ actually states "translation occurs before filtering", which may be interpreted differently than "nat and rdr is done before filtering". This construct is working for me: ========================================================== nat on $ext_if inet from $voip_if:network tag VOIP_NET_NAT tagged VOIP_NET -> ($ext_if) pass in on $voip_if inet proto { tcp, icmp, udp } all tag VOIP_NET pass out quick on $ext_if from ($ext_if) tagged VOIP_NET_NAT queue voip_out ========================================================== The packet arrives on the internal interface, $voip_if, and gets tagged with VOIP_NET, the nat rule tags everything that is tagged VOIP_NET with a new tag of VOIP_NET_NAT, then everything tagged VOIP_NET_NAT is passed quick out the external interface through the voip_out queue (highest priority). -- Chris