04.06.2026 23:48, Atanas Vladimirov пишет:
On 2026-06-04 21:48, kasak wrote:
Hello misc!
I have this tunnel on my router:
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1340
index 14 priority 0 llprio 3
groups: tun
status: active
inet 192.168.40.60 --> 192.168.40.60 netmask 0xffffffff
And this routes:
route -n show | grep tun
192.168.40/24 192.168.40.60 UGS 0 416 - 8 tun0
192.168.40.60 192.168.40.60 UHhl 1 2 - 1 tun0
192.168.40.60 192.168.40.60 UH 0 0 - 8 tun0
I want to route one of my local ips to this tunnel:
pass out inet from 192.168.0.150 route-to 192.168.40.1
And this work like a charm but only when remote host knows about my local
192.168.0.0/24 network.
Can I somehow first do nat-to 192.168.40.60, and after that do route-to
192.168.40.1?
To avoid having to add route on remote host?
Thank you in advance
Hi,
You just need something like this:
# NAT tun0
match out log on tun0 inet from 192.168.0.150 \
nat-to (tun0)
and you can drop your pass .... route-to rule
I'm afraid it's not so easy :(
pflog is silent, nothing works.
Here is full pf.conf btw:
wan=em0
lan=em1
lan_net=$lan:network
table <tv> { 192.168.0.150, 192.168.0.151, 192.168.0.119 }
set skip on lo
block return # block stateless traffic
pass# establish keep-state
block in on egress
pass proto { icmp, ipv6-icmp }
pass in on $wan proto { tcp, udp } to port { domain, domain-s }
pass in on $wan inet proto tcp to port { www, https }
pass out on $wan inet from $lan_net nat-to $wan:0
#pass out inet from <tv> route-to 192.168.40.1
pass out log on tun0 inet from <tv> nat-to (tun0)
