> > yet this does not:
> > rdr on $ext proto tcp from any to <web_servers_ext> port 80 ->
> > \
> > <web_servers_int> round-robin sticky-address
>
> There was a bug fixed recently where pf would fail to select a
> translation when a rule did not have an explicit (or implicit) address
> family (IPv4/v6). This was backported to 3.6-stable, maybe you have an
> older kernel. To test the theory, add 'inet' to your rule, which makes
> the address family explicit.
>
> If this is not the problem, describe exactly how 'it is not working'.
Mea culpa. I really should have given you more to go on. :-(
That said, when looking at a tcpdump -netttvvvi pflog0 port 80, it was
as you suspected: pf apparently wasn't selecting an appropriate
translation rule so connections were getting blocked my the default
block rule.
As described, simply changing to rule to this:
rdr on $ext inet proto tcp from any to <web_servers_ext>
port 80 -> \
<web_servers_int> round-robin sticky-address
makes everything pass through like a champ. Now to grab an updated
3.6-stable. :-)
Thanks so much.
Kevin
