L2TP + "Enable automatic outbound NAT for Reflection" + L2TP subnet overlapping + Port forwards can lead to a broken ruleset
If the L2TP subnet overlaps a subnet that contains a port forward target, and automatic outbound NAT for reflection is enabled, then an invalid ruleset can be generated:
From "pfctl -f /tmp/rules.debug":
no IP address found for l2tp /tmp/rules.debug:129: could not parse host specification no IP address found for l2tp /tmp/rules.debug:137: could not parse host specification
From "grep -ni l2tp /tmp/rules.debug" (relevant lines only):
129:no nat on l2tp proto tcp from l2tp to $somewhere port $blah 137:no nat on l2tp proto tcp from l2tp to $somewhere port $blah2
In this context "l2tp" is not valid as a "from" specification.