On 2021-12-20, [email protected] <[email protected]> wrote: > > pass out on egress from trunk:network to any nat-to egress > > pass out on egress > > Looks like you (incorrectly) assumed that first matching rule wins?
I suggest changing this to a "match ... nat-to" rule. You might want to add "inet" unkess you want to nat IPv6 as well.
