Add interface to Diagnostics: Show States

ggzengel · Apr 7, 2013, 2:51 PM

Please add the interface (from pfctl -s state) to this list.
With this info you can imagine which nat rule really matches.

gerdesj · Apr 7, 2013, 7:35 PM

@ggzengel:

Please add the interface (from pfctl -s state) to this list.
With this info you can imagine which nat rule really matches.

I am struggling to see the extra utility but I haven't thought about it much.

A NAT related state already shows the three addresses in use which is very useful. I think adding the interface would probably only be a convenience but not actually add much information. There is not much room horizontally in the displays and another field would make it worse. The IPv6 states are already a bit of a mess an I shudder to think what an IPv6 NAT state would look like.

Cheers
Jon

ggzengel · Apr 7, 2013, 9:06 PM

But you didn't know which NAT rule was used for this state.

If your openvpn client use WAN1 and your default route is WAN2 than your openvpn client will use NAT rule for WAN2:

pfctl -s state:
WAN2 WAN1:1234>dest:1194

If you make a NAT rule for WAN2 (remember openvpn use WAN1) with src=any you will get:
WAN2 WAN1:1234>WAN2:2345>dest:1194

If you see this, than you know why your openvpn always goes thru WAN2.