Good news and bad news. Good news, I finally got tcp reflection working (on 3.2) via the multiple nat/no nat/rdr rules. Turns out I had the $server confused with the ext_if address, rather than the webserver. Sounds stupid, but... well, I guess it is. :-P
Bad news. Defaulting back to a "normal" set of NAT rules (one for "masquerading", one for port forwarding to the internal webserver), I'm having difficulties with a typical DMZ setup. This time, the client is on the 192.168.2.0/24 network, trying to reach the webserver on 192.168.1.0/24 network, but being redirected through the external interface (10.109.10.97). Every time I send a connection, the firewall sends an immediate reset. No traffic on any of the other interfaces. It does manage to work if I create a set of "reflection" rules for this interface as well, but I thought that a DMZ didn't NEED this sort of complex mangling. The routing is fine; I have no problems pinging the webserver from the client... it's only when the packet attempts to hit the external address for redirection that it gets reset. Any ideas? Thanks again, Jason