Hello, I need to distinguish traffic that is delivered within the local layer 2 network and traffic that goes out the same interface but needs to get routed. In my case: I need to MASQUERADE local traffic but SNAT routed trafffic to the IP address of the VPN tunnel. At the moment I have: iptables -t nat -A POSTROUTING -s vmbr1 -o vmbr0 -d 192.168.1.0/24 \ -j MASQUERADE iptables -t nat -A POSTROUTING -s vmbr1 -o vmbr0 \ -j SNAT --to-source $VPN_ENDPOINT where 192.168.1.0/24 is the local network. Is there a more elegant solution, perhaps something like -m addrtype --dst-type LOCAL_NETWORK ? Regards, Robert
