Question about binat and nat in the same domain

[Tz-Huan Huang]

Hi,

There is a FreeBSD box running pf as a firewall.
There are two type of internal computers, one type is for servers -- thay
are set to fixed ips (int_server_ipN) and map to external ips (ext_server_ipN)
using binat. Another type is for clients -- thay get ip from dhcp server
dynamically. The ips of servers and clients are in the same domain.

Following is the pf.conf:

binat on $ext_if from $int_server_ip1 to any -> $ext_server_ip1
binat on $ext_if from $int_server_ip2 to any -> $ext_server_ip2
binat on $ext_if from $int_server_ip3 to any -> $ext_server_ip3
...

nat on $ext_if from $int_if:network to any -> $ext_ip
pass quick all keep state

and I use ``arp -s [ext ip] [mac] pub'' to bind $ext_server_ips on $ext_if.

Basically all thing is right, the internal server serves as it is external, and
all clients can go to internet well.
The problem is: clients cannot connect to servers via external ips.
For example, "ping $ext_server_ip1" in one client will get no response.

tcpdump get the following log:

17:16:43.005360 IP $client_ip > $ext_server_ip1: ICMP echo request, id
768, seq 61440, length 40
17:16:43.005430 IP $ext_ip > $int_server_ip1: ICMP echo request, id
59065, seq 61440, length 40
17:16:43.005732 IP $int_server_ip1 > $ext_ip: ICMP echo reply, id
59065, seq 61440, length 40
17:16:48.506471 IP $client_ip > $ext_server_ip1: ICMP echo request, id
768, seq 61696, length 40
17:16:48.506531 IP $ext_ip > $int_server_ip1: ICMP echo request, id
59065, seq 61696, length 40
17:16:48.506719 IP $int_server_ip1 > $ext_ip: ICMP echo reply, id
59065, seq 61696, length 40
...


The strange thing is that firewall dons't translate the echo reply to
$client_ip.
What's the problem? Is any wrong in my configuration?
Thanks very much for you help.

tzhuan