Em 22-09-2015 15:06, Daniel Gillen escreveu: > Hi > > I currently have the following rule to nat traffic out to the internet: > > match out on $if_ext inet6 from $if_int:network to any nat-to ($if_ext) > > But this chooses from one of the configures addresses (using round-robin). > > Is there a way I can configure pf to prefer the privacy address (the one > without my MAC in it)? > > Thx in advance > > Daniel > Nat on IPv6? Why? Also, if I'm not mistaken, if your card has a privacy address, it will be the one used, but for connections originated from the firewall itself. I'm not aware of any rule you could make that would get you only privacy address. I didn't read the code, but ($if_ext) would give you the first address, IIRC. Which, in your case, is not the privacy address. Also, you could check if your CPE (router) answer to DHCPv6 requests. If so, and if it follows RFC 7084, you could ask a IA_NA from it, and you'd get an address which is not the privacy address, but also is not based on your MAC address.
Cheers, Giancarlo Razzolini
