On Wed, Apr 30, 2014 at 10:46:47PM -0400, Cory Smelosky wrote: Brian, As I run pf at the Edge, can you add a bit that autogenerates a file that looks like: pass in on $ext_if proto gre from <remote tunnel IP> to any port rdr-to 10.10.0.10 port snmp for each tunnel? I'll likely pull it from tftp using a cronjob and shoving it in to a pf anchor. Use a table instead. table <hecnet_gre> persist file "/etc/hecnet" pass in on $ext_if proto gre from <hecnet_gre> to any port rdr-to 10.10.0.10 port snmp then fetch ip_list via tftp and put it as /etc/hetnet Then run: pfctl -t hecnet_gre -Tr -f /etc/hetnet This file is re-generated every time my script is triggered. That being said, it obviously only changes if people join/leave/change ip. -brian