View Single Post
  #2   (View Single Post)  
Old 10th October 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,600

Hello, and welcome!

Without seeing your PF configuration, based on your problem description I'm going to assume you have NAT configured to translate on the inward facing network. If so, that is the cause of the trouble.

A typical network configuration is to translate only traffic on the outward facing network. See this line from the example configuration in the PF User's Guide:
match out on egress inet from !(egress:network) to any nat-to (egress:0)
The "match" command is not a pass or a block. It is used when you want set specific filtering options to apply to later rules.

The "egress" group contains the NICs assigned to the default route -- also known as the gateway route -- that should be the NICs connecting to your ISPs, or, NICs that route traffic to routers that connect to your ISPs.

Note that the traffic to be NATted comes from all non-egress networks that transit this router. They can go to any address, and will be translated to the first address assigned to the applicable egress NIC.

Note that there is no translation on any of the inner, non-egress network(s).
Reply With Quote