On Thu, Jun 26, 2014 at 07:34:05PM +0900, Tuyosi Takesima wrote: > I pick > ------------------------------ > # match rules > match out on egress inet from !(egress:network) to any nat-to (egress:0) > ------------------------------- > from http://www.openbsd.org/faq/pf/example1.html > > But, this match rules don't work .
Is the interface you're NATing to on the egress group? What if you replace 'egress' with the appropriate interface's name? > accordin to man pf.conf > 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) > 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) > 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16) > nat-to is usually applied outbound. If applied inbound, nat-to > to a local IP address is not supported. I think you are misinterpreting things. If I understand correctly, in you case 'outbound' means 'from 192.168.11.x to anywhere', whereas 'inbound' would be 'from anywhere to 192.168.11.y'. So you _do_ want to NAT outbound traffic, and OpenBSD does that just fine. --
