On 2007/06/13 11:12, Geraerts Andy wrote: > Brian, > > Despite the fact that I get tons of State Failures I see this strange message > : > > Jun 13 11:05:01 spock /bsd: pf: NAT proxy port allocation (50001-65535) > failed > > Can this be the cause of my errors?
Yes, you have run out of available ports to NAT from. The straightforward answer is to NAT from a larger pool of addresses i.e. nat ... -> { 1.1.1.1, 2.2.2.2, 3.3.3.0/24} The 50001:65535 range is set in /usr/src/sbin/pfctl/pfctl_parser.c (PF_NAT_PROXY_PORT_LOW and ..._HIGH) which might give some opportunity to shoot yourself in the foot (especially if you don't bother to make related changes to sysctl net.inet.ip.port* to keep some hiports free for connections from the box itself).