On 2020-09-21, [email protected] <[email protected]> wrote: >> > My basic ruleset snippet: >> > pass quick on vlan100 from any to any >> > match out on vlan200 nat-to vlan200 >> > pass out on vlan200 >> > block out quick on vlan200 from <no-internet-for-you> >> >> If this is your actual ruleset, you are observing the intended behavior. >> match rule actions are applied directly, so the pass rule would see the >> already >> NATed packets as you have specified. >> > > I noticed the same from some last minute efforts, the ordering of the match > rule matters. > > >> In a simple case like this you could optionally move the nat-to action to >> the pass rule and remove the match rule if that fits your needs better. >> > > Unfortunately I have many more pass rules that would need NAT applied to it > on a case-by-case basis which is not maintainable so I guess I have to > abort the mission and keep what I have, which is filtering on ingress. > me.
Try tagging the relevant addresses (match from <whatever> tag whatever) before the nat rule, then "block out quick on vlan200 tagged whatever". Or tag the packets you _do_ want to allow and "pass out tagged permitted".
