To clarify: I can connect from any 192.168.2.* IP to a temporary machine in the 192.168.1.* network (the empty network between the hardware router and the openbsd box), so packets appear to be forwarded correctly. If I try to connect to an external IP, however, the packets don't seem to go anywhere. I have, on a few occasions, seen responses from openbsd.org to packets sent earlier which are then blocked by pf (correctly, as they are no longer associated with any connection).
I have connected a machine to the 192.168.1.* network to sniff packets with wireshark and see absolutely nothing go through when a machine at 192.168.2.5 attempts to 'nc' to openbsd.org:80. Watching pf logs with tcpdump shows that pf certainly believes it has forwarded packets to the external IP address. ... In the old days, we'd have opened the switch with bolt cutters and set fire to the building on the way out. MC
