Hi Kenneth, It was staring me in the face and I did not see it. I shot myself in the foot and didn’t realize it.
Thanks heaps for your support. From: Kenneth Gober <kgo...@gmail.com> Sent: Monday, 10 May 2021 11:49 PM To: Dirk Coetzee <d...@best-it.tech> Cc: misc@openbsd.org Subject: Re: NAT on same interface as vlan on OpenBSD 6.8 On Mon, May 10, 2021 at 5:26 AM Dirk Coetzee <d...@best-it.tech<mailto:d...@best-it.tech>> wrote: I am hoping to create a pf.conf configuration that has VLAN’s and NAT via the same (physical) interface. The hardware is only capable of having a single Ethernet interface. vlan100 is an isolated network to setup servers and is connected to a switch that is setup for vlan100 and vlan 1. The same interface has the main internal IP address 192.168.10.241 ("vlan 1" / no vlan). Devices behind vlan100 network need to be NAT’ed behind the internal / corporate interface 192.168.10.241, so that they can still have internet access - without affecting the main / corporate network. pass out quick log on $int_if match out on $int_if inet from $vl100_net to any nat-to $int_ip source-hash I believe your issue is that the "pass out quick" takes effect immediately and rules that come later aren't checked. Either remove the 'quick' or move the 'match out' NAT rule so that it's above the 'pass out quick'. Some people don't like to use 'quick' because it makes "last match" semantics hard to follow (it's an exception to keep track of if most of your ruleset is structured for 'last match wins'). I prefer to use 'quick' on almost all of my rules to get "first match" semantics because I find 'first match wins' easier to work with (it means that the remainder of the ruleset after a matching 'pass' is irrelevant and need not be examined). It is purely personal preference on whether you prefer to read your rules from the bottom up or the top down. If you want to continue to use 'quick' the most expedient fix is to move the 'match out' so that it comes before your first 'pass out' rule. -ken
