caveats


default routes for all the domains!
seriously
the 'do we have a valid route' check happens *before* pf
very common mistake

debugging can be painful

which route will be used?

but, how do we send (some) traffic to a different rdomain?
pf to the rescue!