I finally got around to upgrading my home gateway from 4.9-current (late snapshot) to 5.0-beta (jul 27 snapshot), and I stumbled across what appears to be a subtle but significant change in nat-to behavior.
my $ext_if is xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:50:da:21:cb:c9 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 213.187.179.198 netmask 0xfffffffc broadcast 213.187.179.199 inet6 fe80::250:daff:fe21:cbc9%xl0 prefixlen 64 scopeid 0x3 inet6 2001:16d8:ccbc:dead:beef::1 prefixlen 64 and the nat-to line was match out log on $ext_if inet nat-to ($ext_if) AFter upgrading, this was loaded as match out log on $ext_if inet nat-to $ext_addr round-robin - meaning that return traffic wasn't necessarily seen. Changing the rule to match out log on $ext_if inet nat-to $ext_addr restored the config to a working state. Does this count as a buglet (or something that should be documented, at least)? - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.