Situation: VPN server, hosting OpenVPN and L2TP connections. OpenVPN connections share a "utun" interface, one per OpenVPN server process. L2TP connections each get a unique "ppp" interface. The easiest way to capture all of the potential interface permutations for NAT is a pf rule like this:
nat on en0 from ! (en0) to any -> (en0:0)
That works great. Except now the server has a second physical interface, en1, and obviously pf is trying to NAT traffic coming through that interface. What is the correct way to rephrase the above pf rule so that neither en0 nor en1 gets NATted, but everything else does?
