/etc/pf.conf
ext_if = "re0" int_if = "ath0" auth_web="192.168.27.20" dhcp_services = "{ bootps, bootpc }" # DHCP server + client table <authpf_users> persist pass in quick on $int_if proto tcp from ! <authpf_users> to port http rdr-to $auth_web match out on $ext_if from $int_if:network nat-to ($ext_if) anchor "authpf/*" block all pass quick on $int_if inet proto { tcp, udp } to $int_if port $dhcp_services pass quick inet proto { tcp, udp } from $int_if:network to any port domain pass quick on $int_if inet proto { tcp, udp } to $int_if port ssh
Pre-4.7:
ext_if = "re0" int_if = "ath0" auth_web="192.168.27.20" dhcp_services = "{ bootps, bootpc }" # DHCP server + client table <authpf_users> persist rdr pass on $int_if proto tcp from ! <authpf_users> to any port http -> $auth_web nat on $ext_if from $localnet to any -> ($ext_if) nat-anchor "authpf/*" rdr-anchor "authpf/*" binat-anchor "authpf/*" anchor "authpf/*" block all pass quick on $int_if inet proto { tcp, udp } to $int_if port $dhcp_services pass quick inet proto { tcp, udp } from $int_if:network to port domain pass quick on $int_if inet proto { tcp, udp } to $int_if port ssh