Hi all,

I hope someone can help with this strange problem:

pass out quick on $ext_if inet proto icmp from $int_if:network to any icmp-type {echorep, echoreq, timex, unreach}

This one doesn't work

pass out quick on $ext_if inet proto icmp from any to any icmp-type {echorep, echoreq, timex, unreach}

This one does work

Why can't I use the $int_if:network macro in the filter rules?

Did you try:

pass out quick on $ext_if inet proto icmp from $ext_if:network to any icmp-type {echorep, echoreq, timex, unreach}

I don't know if you have an RFC1918 network on your internal interface, but NAT takes place before the filter rules apply, so the RFC1918 address(es) will first be translated to the public IP address(es). So the ICMP traffic will have to be allowed from the external interface.

Problem seems to be a rights issue.

$ext_if had no rights for using his own interface according to the block and filter rules.