On a router running PF and isakmpd, I have a rule like this: match out on pppoe0 inet all received-on vlan5 nat-to $someip
I was surprised to find this being applied to packets received on vlan5 and caught by an ipsec flow; the resulting *encapsulated* (proto ESP) packets (as in, generated on the router itself, not actually themselves received on vlan5) end up getting natted. What does anyone else think...expected or not?
