Hi, I have these rules for the interface vr1
match out on vr1 inet from 172.16.0.0/12 to any nat-to (vr1) round-robin pass in log (all, to pflog1) quick on vr0 inet from <tataips> to any flags S/SA keep state label route-to 122.247.14...@vr1 pass out log (all, to pflog3) quick on vr1 all flags S/SA keep state label When I ssh from an IP 172.16.50.62 in the <tataips> table to a host 68.208.88.43 in the internet I get this corresponding traffic in pflog3 Aug 19 11:57:26.180191 rule 6.atelandtata.2/(match) pass out on vr1: 172.16.50.62.37105 > 68.208.88.43.22: S 2259539342:2259539342(0) win 5840 <mss 1460,sackOK,timestamp 1855434[|tcp]> (DF) Aug 19 11:57:26.439956 rule 6/(match) pass in on vr1: 68.208.88.43.22 > 172.16.50.62.37105: S 1444742373:1444742373(0) ack 2259539343 win 5792 <mss 1460,sackOK,timestamp 3649103802[|tcp]> (DF) Aug 19 11:57:26.440115 rule 6/(match) pass out on vr1: 122.247.145.232.64346 > 68.208.88.43.22: . ack 1444742374 win 92 <nop,nop,timestamp 1855513 3649103802> (DF) Aug 19 11:57:26.705532 rule 6/(match) pass in on vr1: 68.208.88.43.22 > 172.16.50.62.37105: P 1:37(36) ack 1 win 46 <nop,nop,timestamp 3649103869 1855513> (DF) Even though there is a match rule to nat In the first pflog3 out put I see the IP 172.16.50.62 But in the next line I see the Nated IP 122.247.145.232 Why is that private IP not natted in the first line? Thanks :-) --Siju
