On Fri, Oct 27, 2023 at 06:32:45PM +0200, Volodymyr Litovka wrote: > The question - what I'm doing wrong? Description, ruleset and topology look a bit convoluted :-) To start with: iifname "inspan" ... is not really required, because you chain is already hooked at "inspan" device see your chain declaration: table netdev inspan { chain rewrit { # Drop everything except Radius Accounting and DHCP packets type filter hook ingress device "inspan" priority filter; policy drop; Then, to forward packets to some other box from the 'netdev' family, use the 'fwd' statement: udp dport 67 udp dport set 10067 counter fwd to 100.64.0.66 device "eth0" This rule above is mangling your UDP destination port from 67 to 10067, then it send the packet to 100.64.0.66 and device "eth0". The destination MAC address is updated by the neighbour layer so you do not have to bother with "ether daddr set ...".