Index | Thread | Search

From:
Lucas de Sena <lucas@seninha.org>
Subject:
www/faq/pf/nat.html: ambiguous examples for NAT configuration
To:
tech@openbsd.org
Date:
Wed, 1 Jul 2026 00:55:28 -0300

Download raw body.

Thread
At the very beginning of the "Configuring NAT" section at
<https://www.openbsd.org/faq/pf/nat.html#config>, there's this
general format for pf rules for NATing (uppercase syntactical
variables and omitted optional parts by me):

> match out on INTERFACE from SRC_ADDR to DST_ADDR nat-to EXT_ADDR
> [...]
> pass out on INTERFACE from EXT_ADDR to DST_ADDR

Later, comes an actual example instantiating that general format:

> match out on tl0 from 192.168.1.0/24 to any nat-to 198.51.100.1
> pass on tl0 from 192.168.1.0/24 to any

Something does not match in the general format and the actual example:

On the general format, the source address for the "match" rule is
"from SRC_ADDR", and the source address for the "pass" rule is
"from EXT_ADDR".

On the actual example, the syntactical variables are instantiated as
follows, in the "match" rule:
- SRC_ADDR: "192.168.1.0/24" (address of the internal subnet)
- DST_ADDR: "any"
- EXT_ADDR: "198.51.100.1" (address of gateway's external interface,
  outside the internal subnet block).

But the "pass" rule of the actual example uses "192.168.1.0/24"
(SRC_ADDR), where, according to the general format, it should be
"198.51.100.1" (EXT_ADDR) instead.

Should the source address of the pass rule be that after address
translation (as in the general format) or the original one before
address translation (as in the actual example)?

Is it the general format or the actual example which is correct?

-- 
Lucas de Sena