NPF single NIC & NAT

[Ryan Brackenbury <ryan.brackenbury%gmail.com@localhost>]

I'm having difficulty redirecting some traffic on my home network, from a 
server with a single nic.

Here's the situation: I have a wifi/gateway router which forwards all 
traffic from my external IP to a NetBSD server on my internal network. The 
server has a single NIC, but I have a second server also on my internal 
network I'd like to offload some of the services onto. For specific 
reasons, I don't want to do the 'proper' way and change the gateway 
router's rules, and instead I want to redirect the packets via the NetBSD 
server and NPF.


I've added some map rules in my npf.conf, but they don't seem to work. 
Traffic tries to connect, but hangs waiting for return packets, and 
eventually times out. Npfctl shows the NAT allocations occuring, but they 
later get destroyed. Changing the IP address of the dest server to 
localhost does in fact pass traffic, so I'm a bit confused why this other 
way isn't working.

I know that with PF, you cannot reflect packets out the same interface, is 
that what's preventing me from doing this with NPF also?

My npf.conf:

# Wonderful basic config!
$ext_if = "ale0"
$localnet = { 192.168.0.0/24 }
$irc_server = { 192.168.0.3 }
$ext_ipaddr = { 192.168.0.2 }
# My persistent block tables
table <blacklist> type tree file "/etc/npf_blacklist"
group "external" on $ext_if {
    block in final from <blacklist>
    pass all
}
group default {
    pass final on lo0 all
    block all
}
map $ext_if static $irc_server port 6667 <- $ext_ipaddr port 6667

Hopefully someone can shed some light on what I'm doing wrong - and 
hopefully there is a way to do this that doesn't require a second NIC.