I suspect you didn't quote all relevant rules, there must be at least one additional rule like
pass out on rl2 keep state
Ahum. Yes. Sorry for that.
First, try to use nat only on rl2. The route-to'd connections will pass pf on both rl0 and rl2, so doing nat on rl2 is no problem:
I tried this first but the packets came out on rl2 without being NAT:ed. That is, I removed the nat on rl0 rule. Is a "pass out" rule done after NATing has been performed?
A second approach would be to put 'route-to' on the 'pass in on rl0'
rule, shortcircuiting the TCP/IP stack (not relying on it to forward the
connection to the default gateway). In that case, the connections would
come in on rl0, and get routed to rl2 directly, so pf wouldn't see them
as outgoing on rl0 at all. But you could still translate and filter them
going out on rl2, of course.
And this fixed it. I remember trying this approach when I originally setup this configuration but it didn't work on 3.1. But now it works and the ruleset looks much cleaner.
Thanks a lot for your help, Nickus
