On Mon, May 10, 2021 at 5:26 AM Dirk Coetzee <d...@best-it.tech> wrote:
> I am hoping to create a pf.conf configuration that has VLAN’s and NAT via
> the same (physical) interface. The hardware is only capable of having a
> single Ethernet interface.
>
> vlan100 is an isolated network to setup servers and is connected to a
> switch that is setup for vlan100 and vlan 1. The same interface has the
> main internal IP address 192.168.10.241 ("vlan 1" / no vlan). Devices
> behind vlan100 network need to be NAT’ed behind the internal / corporate
> interface 192.168.10.241, so that they can still have internet access -
> without affecting the main / corporate network.
>
> pass out quick log on $int_if
> match out on $int_if inet from $vl100_net to any nat-to $int_ip source-hash
>
I believe your issue is that the "pass out quick" takes effect immediately
and rules that come later aren't checked. Either remove the 'quick' or
move the 'match out' NAT rule so that it's above the 'pass out quick'.
Some people don't like to use 'quick' because it makes "last match"
semantics hard to follow (it's an exception to keep track of if most of
your ruleset is structured for 'last match wins'). I prefer to use 'quick'
on almost all of my rules to get "first match" semantics because I find
'first match wins' easier to work with (it means that the remainder of the
ruleset after a matching 'pass' is irrelevant and need not be examined).
It is purely personal preference on whether you prefer to read your rules
from the bottom up or the top down. If you want to continue to use 'quick'
the most expedient fix is to move the 'match out' so that it comes before
your first 'pass out' rule.
-ken
