I'm embarrassed to ask such a simple question. Since 3.4 I've been running PF firewalls, but mostly for very small networks with 32 or fewer external addresses. I always assigned my external IPs to my external interface and then did NAT or bi-NAT.
Now I'm building firewalls for much larger networks with /25 of external IPs. They will all be either static or dynamic NAT, so proxy-ARP doesn't seem like the way to go. Do I absolutely have to assign all these addresses to the external interface in order to use them for nat-to/binat-to, or can I simply have the upstream router set a route to one IP that I assign to the external interface (this is done already) and PF will be able to handle the translations? -- bk
