I'm having trouble getting rdr to work.  Here's the configuration:

The host on which pf is running has it's own services, particularly HTTP 
and SSH, so I set up a pool of other (external) addresses to use for NAT 
use.  Thus, I have my aliases set up in /etc/rc.conf:

ifconfig_fxp0="inet x.y.z.5  netmask"
ifconfig_fxp1="inet  netmask"
ifconfig_fxp0_alias0="x.y.z.20 netmask 0xffffffff"
ifconfig_fxp0_alias1="x.y.z.21 netmask 0xffffffff"
ifconfig_fxp0_alias2="x.y.z.22 netmask 0xffffffff"
ifconfig_fxp0_alias3="x.y.z.23 netmask 0xffffffff"
ifconfig_fxp0_alias4="x.y.z.24 netmask 0xffffffff"

# And my pf.conf file is set up like this:

# These are my external NAT addresses
table <nat_pool> { $nat1, $nat2, $nat3, $nat4 }

# I then have NAT set like this:

nat on $ext_if inet from $internal_net to any -> <nat_pool>

# Next, I want SSH and TAPI to go to particular machines on the internal 

rdr on $ext_if proto tcp from any to $nat1/32 port 22 ->
rdr on $ext_if proto tcp from any to $nat1/32 port 5000 ->

# And some of my internal users connect to X11 clients, so I map some 
X11 ports:

rdr on $ext_if proto tcp from any to <nat_pool> port 6104 ->
rdr on $ext_if proto tcp from any to <nat_pool> port 6105 ->
rdr on $ext_if proto tcp from any to <nat_pool> port 6106 ->

Except for the "x.y.z", everything is exactly taken from the files.

The problem:  connecting to the X11 ports work (DISPLAY=nat1.domain:104 
works from an external Internet address), but ssh to nat1 times out.  
Yes, I know is running a valid SSH server on port 22, 
since I also have a Netgear NAT router pointing to it that works just 
fine.  The same for the system listening on port 5000.

Yes, I tried substituting <nat_pool> for $nat1/32 and visa versa an a 
test, but the end result is the same:  Port 6104 works, but ports 22 and 
5000 do not.

Is there anything obvious I'm doing wrong?  Is this a FAQ?


