My suggestion is to get rid of the bridge and just deal with 3 different networks
- external interface network
- wired interface network
- wireless interface network
For example subnet the 10.0.0.0/8 network into 10.10.22.0/24 for the wired lan clients and 10.10.99/24 for the wireless ones.
Re: NAT
If you are changing or renumbering the internal network clients (wired and wireless) you can use the following match rule to perform foolproof Network Address Translation:
Code:
# ---- external/egress interface
match out inet from ! egress to any nat-to (egress)
Note that I use the interface group
egress here instead of the interface device name.
Likewise you could assign the
urtwn0 interface to the group
wireless and the other NIC to group
wired.
A sample
/etc/hostname/urtwn0
Code:
inet 10.10.99.1 255.255.255.0 NONE group wired
RE:
pf.conf
In the beginning it is easier to filter just on the external interface. You can either use
skip on .. or
pass quick on .. Get things working first.
Later on, when everything is working, you always add filtering on the internal interfaces.