Hi Ken, On Fri, Apr 21, 2023 at 10:19:25PM -0400, Kenneth Gober wrote: > I suspect you need something like this: > > pass in on re0 from any to (re0) port 1080 rdr-to 10.64.0.1 tag nat > pass out on wg0 nat-to (wg0) tagged nat > > The first rule handles the forwarding, the second rule makes it so > that all forwards to your SOCKS proxy appear to come from your > router (which the proxy knows how to reach) rather than other > systems on your home network (which the proxy might not have > usable routes to send replies to). > > PF rules automatically set up the return path when the forward > path is 'passed' so you don't need rules for those. You do need > to have both inbound and outbound rules for the forward path to > allow a connection to get set up.
Thank you very much! This worked perfectly, with a slight tweak of adding the "proto" modifier. For the sake of completeness, the final solution is summarised below. # sysctl net.inet.ip.forwarding=1 # cat /etc/pf.conf ... pass in on re0 proto tcp from any to (re0) port 1080 rdr-to 10.64.0.1 tag nat pass out on wg0 proto tcp nat-to (wg0) tagged nat ... Cheers, Charlie
