Now the only rule (that I know of) rewriting source addresses is nat, but
I neither need to keep state, nor it works with broadcasts. Is it possible
with pf to just rewrite the source address of an incoming packet to
tunx:peer so answers will actually go where they are meant to?
I was wrong, mighty pf can do it all. For the record:
vpn="192.168.10.0/24"
nat on tun0 proto udp from !$vpn to 255.255.255.255 -> (tun1:peer)
static-port
nat on tun1 proto udp from !$vpn to 255.255.255.255 -> (tun0:peer)
static-port
pass in on tun0 route-to tun1 from any to 255.255.255.255
pass in on tun1 route-to tun0 from any to 255.255.255.255
I mixed up that the lists rules order doesn't necessarily reflect the order
one packet takes through the pf engine, especially when rerouted. The
graphics floating around in here somewhere show this anyway, though.
Edgar
