Hello Mikolaj,
</snip>
> ...
>
> >How-To-Repeat:
> Setup NAT with PF, connect wireguard client over internal
> network, which goes over external interface which changes IP address
> once in a while, in my case it's umb(4).
>
> >Fix:
> Unknown. Many workarounds, pfctl -Fs, seems the simplest?
>
> After pfctl -Fs, wireguard tunnel works straightaway:
>
I think the problem is caused by fact that PF keeps states, which got
created with old umb0 IP address. As long as those 'old' states
are present, the translation won't get updated for existing sessions.
you might want to consider using ifstated(8) to monitor umb0 interface
and flush states from PF when umb0 disappears/changes its address.
you may also want to label rules, which handle NAT on umb0 interface,
so ifstated(8) will be running pfctl(8) to kill states with desired
label only:
pfctl -k label -k umb0-nat
regards
sashan
