"James Chase" <james () wintercastle ! net> If I fully understand your situation a lot of what you do depends on whether you intend to resolve names and whether you can use subnets. In my situation I have a number of servers and internal clients on different subnets with one external public IP address. pf obviously becomes trivial.
The obvious issue is resolving zones you are authoritive for to internal clients. I've chosen to pass resolving onto the ISP partly to overcome this. If that's on the table as an option I recommend looking at this: http://www.openbsd.org/faq/pf/rdr.html#sepnet Once you do that, add a rule for your client subnet(s) that redirect any incoming on the corresponding internal_IF on your router to the appropriate server. That is: server ="192.168.250.1" vhosts ="58.108.203.117" pass in on pppoe0 inet proto tcp from any to (pppoe0) port www rdr-to $server pass out on xl0 inet proto tcp from any to $server port www pass in on dc0 inet proto tcp from dc0:network to $vhosts port www rdr-to $server pass in on rl0 inet proto tcp from rl0:network to $vhosts port www rdr-to $server Note vhosts can be any number of domains. Again it depends on different subnets and as far as resolving goes, public IPs can be returned and pf will take care of that. No other consideration necessary. As far as I understand it I was facing exactly the same decisions and made the sweeping decision to pass all resolving to the ISP. I have no over-riding security or performance consideration there and it seemed like a great idea to miss the fun of splitting DNS or screwing around with hosts files. Having a quick look at dhcpd.conf it might be possible to specify hosts from there. I expect it is but certainly doable by some other mechanism. I thought about chasing that down but in the end it didn't seem worth it. Best wishes.