Hello,
</snip>
> pass in on em0 from v.x.y.z/n to a.b.c.d/m \
> route-to o.p.q.r nat-to (em2)
>
> > then this needs to be converted to two rules:
> >
> > match in on em0 from v.x.y.z/n to a.b.c.d/m nat-to(em2)
> > pass in on em0 from v.x.y.z/n to a.b.c.d/m route-to o.p.q.r
> >
> > I have not tried that yet. However I think this should work. If it does
> > not work, then I'll try to fix it.
>
> I thought the problem was for rules like this:
>
> pass out on em1 from v.x.y.z/n to a.b.c.d/m \
> route-to o.p.q.r@em2
> pass out on em2 nat-to (em2)
>
correct, combination of NAT and route-to is problem
on outbound rules. I failed to type my example right.
> Only one pass out rule will win if I commit this, because the packet
> will only go through the ruleset when it leaves the stack, not every
> time the interface changes. If we can do match route-to rules, we could
> do the following:
>
> match out on em1 from v.x.y.z/n to a.b.c.d/m \
> route-to o.p.q.r # o.p.q.r is reachable via em2
> pass out on em2 nat-to (em2)
>
my idea is to fix combined outbound rule with pair of rules. So let
me retry. Let there be an outbound rule:
pass out on em1 from v.x.y.z/n to a.b.c.d/m \
route-to o.p.q.r@em2 nat-to(em2)
the 'route-to o.p.q.r@em2' will get changed to 'route-to o.p.q.r',
assuming the o.p.q.r is reachable via em2. The nat-to action
will be moved to 'match rule'. The rule above needs to be
changed to pair of rules:
match out on em1 from v.x.y.z/n to a.b.c.d/m nat-to(em2)
pass out on em1 from v.x.y.z/n to a.b.c.d/m \
route-to o.p.q.r # o.p.q.r is reachable via em2
I believe this is something what should work already.
thanks and
regards
sashan
