Hi All, I am running 3.2 stable. This is what I am trying to achieve: I have specified say 192.168.1.0/24 network to be on a VPN. But only authenticated users are allowed over VPN, rest all should go clear. Lets say 192.168.1.32 is authenticated and 192.168.1.33 is not. The common part of the rules have: pass out quick on enc0 from 192.168.1.32 to any pass in quick on enc0 from any to 192.168.1.32 I haven't added any block rule yet, but have added the following rule: pass out quick on enc0 fastroute from any to any also I tried this: pass out quick on enc0 route-to (fxp0 172.16.1.1) from any to any (where 172.16.1.1 is the default router) I mostly have NAT rule: nat on fxp0 from !fxp0 to any -> fxp0 This works if there is no NAT rules and if the internal address happens to be a routable address. But I cannot imagine so, with NAT the packet from 192.168.1.33 still gets encapsulated and goes over VPN. I hardly know the PF kernel code, but looks like the spd_lookup is successful (which is right, since 192.168.1.33 belongs to the ipgroup 192.168.1.0/24) and it looks like saving some info in the mbuf and then fastroute rule is matched, but its too late, so it encapsulates it. How can I get around this? Or am I doing something wrong? Pls advise. Thank You in advance --Gopu