On 2006/12/09 17:24, [EMAIL PROTECTED] wrote: > reply-to option (I had missed that earlier), and I now can SSH in via > the cable modem interface (no word yet on whether I can NAT out of it, > I'll figure that out when I'm at a machine that would use that NAT).
NATting is fairly straightforward, it's handled the same as any outgoing traffic. Outbound traffic normally follows the routing table, the source IP address is not used in this decision. Any exceptions to this need route-to on the interface used to send the packets out. Note that translation happens before filtering rules, so you can choose which network to use for particular traffic types by changing the NAT IP address. > pass out on $ext_if2 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any In general, on the interface holding the default route (fxp0 in your example), you need to 'pass out..route-to' all traffic from the source address of the other nic (dc0). This gets most traffic routed correctly, but you also need a similar line with the networks reversed to ensure that you can reach the subnets of the other interfaces correctly: using your example addresses, this is necessary so that packets from 66.92.172.3 can reach hosts in 70.174.128/23. That's why there are two rules at the end of faq/pf/pools.html, one for each interface. You should re-read those 2 rules carefully and compare with what you've written (which won't do quite what you expect as it stands).
