If you use a macro in a binat-to rule that contains multiple IPs like so: home_ipv4 = "{" 10.22.28.100 10.74.13.26 10.0.10.2 "}"
pass on $egress_if from 172.28.0.107 to $home_ipv4 binat-to 10.39.177.145 It will create a cascade of duplicate inbound pass rules like so: 1) pass out on em0 inet from 172.28.0.107 to 10.22.28.100 flags S/SA nat-to 10.39.177.145 static-port 2) pass in on em0 inet from 10.22.28.100 to 10.39.177.145 flags S/SA rdr-to 172.28.0.107 3) pass in on em0 inet from 10.74.13.26 to 10.39.177.145 flags S/SA rdr-to 172.28.0.107 4) pass in on em0 inet from 10.0.10.2 to 10.39.177.145 flags S/SA rdr-to 172.28.0.107 5) pass out on em0 inet from 172.28.0.107 to 10.74.13.26 flags S/SA nat-to 10.39.177.145 static-port 6) pass in on em0 inet from 10.74.13.26 to 10.39.177.145 flags S/SA rdr-to 172.28.0.107 7) pass in on em0 inet from 10.0.10.2 to 10.39.177.145 flags S/SA rdr-to 172.28.0.107 8) pass out on em0 inet from 172.28.0.107 to 10.0.10.2 flags S/SA nat-to 10.39.177.145 static-port 9) pass in on em0 inet from 10.0.10.2 to 10.39.177.145 flags S/SA rdr-to 172.28.0.107 Lines 3 and 6 are duplicates and lines 4, 7, and 9 are duplicates. Tested on 5.8. Not a big deal, but I figured I would mention it since I noticed. --TimH