Hello, and welcome!
Quote:
...i would want some of the clients ip addresses to be routed through wan (without VPN)..
|
At the moment, your configuration blocks all traffic originating on $int_if (em1) from transiting $ext_if (em0), as
all traffic originating on $int_if is tagged NO_WAN_EGRESS.
Since tags are "sticky" you could add another pass rule with a different tag immediately following the first pass rule, such as:
Code:
pass in on $int_if from $int_if:network to any tag NO_WAN_EGRESS keep state
pass in from address tag WAN_EGRESS_IS_OK
The
address could be a single address, a set of addresses in a list, or a table of addresses. (Note: "to any" and "keep state" are defaults.)
For more on tags, see the pf.conf(5) man page and the
packet tagging chapter of the
PF User's Guide.