One more difference: "bad NAT" on the reply packet in the broken setup..

Now the rules look like:

block in log all
block out log all
pass in  quick log on xi0  proto tcp from any to any port = http flags S/SA keep state
pass out quick log on rtk0 proto tcp from any to any port = http flags S/SA keep state

map rtk0 192.168.204.234/32 -> 131.111.204.234/32

which works, but not on the computer with s/xi0/ex0/g s/rtk0/bge0/g
On that one the reply has "bad NAT" on the SA packet returning from
the webserver as it hits the external interface, and gets blocked.
(It also has Feature mask: 0xa rather than 0x10a as on the working one)

They both work with the pf rules:

int_if=xi0
ext_if=rtk0
int_ip=192.168.204.234
ext_ip=131.111.204.234

nat on $ext_if from $int_ip to any -> $ext_ip

block in log-all all
block out log-all all

pass in  quick log-all on $int_if proto tcp from any to any port = http flags S/SA keep state
pass out quick log-all on $ext_if proto tcp from any to any port = http flags S/SA keep state

which I think are the equivalent of the ipf ones...

So, what does "bad NAT" imply? (ipnat -l looks correct)

Cheers,

Patrick