On 4 June 2013 00:49, Stuart Henderson <[email protected]> wrote: > On a router running PF and isakmpd, I have a rule like this: > > match out on pppoe0 inet all received-on vlan5 nat-to $someip > > I was surprised to find this being applied to packets received on vlan5 > and caught by an ipsec flow; the resulting *encapsulated* (proto ESP) packets > (as in, generated on the router itself, not actually themselves received on > vlan5) end up getting natted. > > What does anyone else think...expected or not? >
but if you do the same w/o 'received-on' then packets would get natted anyways, won't they?
