NAPT on an routed address pool: problem with the broadcast address

Antonio Bonifati ant at
Fri Apr 30 10:04:02 UTC 2010

Hi to all.
I have a question relating to NAPT on an address pool. I'm using PF with a
rule like this:

nat on $my_outbound_if from $my_internal_net to any -> $my_CIDR_pool

My internal net has more private IPs than those of the public pool.

In order for this to work I've noticed all the pool's addresses must be
bound to my outbound router interface.

This worked for me when my router was connected to a switch. But now it is
connected to another router. They gave me a CIDR pool but the broadcast
address is not routed and I cannot configure it as an alias of course.

How can I use my full CIDR pool with source-hash natting? I'm experiencing
random connection freezes when I use the above rule. I believe this happens
because PF selects the broadcast address for some mappings.

BTW why does PF require that only a CIDR pool must be used with source-hash?
Could something be done on the other side to work this problem out? E.g. is
it possible to configure a router to also route the broadcast address in a
static route?

thanks for helping
Antonio Bonifati
My profile:

More information about the freebsd-pf mailing list