On 2023-03-28, Kaya Saman <kayasa...@gmail.com> wrote:
>
> Anyway, what I am trying to figure out is how to NAT the rdomain's?
>
>
> At the moment from what I understand one has to put "rtable (n)" at the
> end of the NAT rule...
That is for _changing_ rtable; if the interfaces involved (the $vpn_net1
interface and $gnet_if) have been configured with "rdomain 2" then the
route lookups will automatically use rtable 2 and you don't need to
reset it in pf.
> The rule in use is this one:
>
> match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rtable 2
If $vpn_net1 is the network associated with the g-networks connection
then that, without the 'rtable 2', should probably do it, as long as
those packets have not already been natted to a different address
before they hit that rule.
For debug you might like "match log(matches)" at the top of the ruleset
and watch "tcpdump -neipflog0" to show which rules are actually matching
(you get multiple lines of output per new connection as the ruleset
is traversed; the rule numbers shown in the output can be looked up
with pfctl -sr -R ##).
It is definitely possible to do what you want with OpenBSD/PF, it's
"just" a question of figuring out how ;)
