View Single Post
  #2   (View Single Post)  
Old 13th August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,509

Hello, and welcome!
...i would want some of the clients ip addresses to be routed through wan (without VPN)..
At the moment, your configuration blocks all traffic originating on $int_if (em1) from transiting $ext_if (em0), as all traffic originating on $int_if is tagged NO_WAN_EGRESS.

Since tags are "sticky" you could add another pass rule with a different tag immediately following the first pass rule, such as:
pass in on $int_if from $int_if:network to any tag NO_WAN_EGRESS keep state
pass in from address tag WAN_EGRESS_IS_OK
The address could be a single address, a set of addresses in a list, or a table of addresses. (Note: "to any" and "keep state" are defaults.)

For more on tags, see the pf.conf(5) man page and the packet tagging chapter of the PF User's Guide.

Last edited by jggimi; 13th August 2017 at 01:51 PM. Reason: typo
Reply With Quote