On Fri, Jun 5, 2026 at 11:09 AM kasak <[email protected]> wrote: > 04.06.2026 23:48, Atanas Vladimirov пишет: > > You just need something like this: > > # NAT tun0 > match out log on tun0 inet from 192.168.0.150 \ > nat-to (tun0) > > and you can drop your pass .... route-to rule > > I'm afraid it's not so easy :( > pflog is silent, nothing works. >
"match out log on tun0" won't work because for this to happen the OpenBSD routing table must have already decided that "tun0" is the correct outbound interface to use. I believe that any "out" rule will be too late because at that point the packet is already passing out through the wrong interface and it's too late to redirect it elsewhere. I would try this instead: match in inet from <tv> route-to 192.168.40.1 This (or the same with "pass in" instead of "match in") should work better, because it identifies the outbound interface to use before the packet has already been sent out some other one. Depending on how your tunnel is set up, you will likely have to keep your "nat-to (tun0)" out rule as well, as that may be needed for the server at the other end of the tunnel to be able to tell where replies should be sent (i.e. the server at the other end of the tunnel may know how to reach 192.168.40.60, but it may not know how to reach 192.168.0.150). -ken
