Hello, I am seeing what could be expected behaviour but the small shreds of info I can find online seems to suggest otherwise.
I have a box that acts as a router and firewall. It forwards packets from the internal lan (call it vlan100) and sends it natted out on the external lan (call it vlan200). The problem I am seeing is that I am unable to filter on vlan200 as the match nat rule (match out on vlan200 nat-to vlan200) seems to rewrite the source address before any filtering is taken into account. Is this intended? I was under the assumption that filtering is done twice in my box, as it forwards, once on ingress (where I have a pass quick everything rule) and one on egress (where the nat is and where I want the filtering done) in a basic Routing->Access->NAT scheme? As it stands now I have to filter on ingress. My basic ruleset snippet: pass quick on vlan100 from any to any match out on vlan200 nat-to vlan200 pass out on vlan200 block out quick on vlan200 from <no-internet-for-you>
