Extremely simple redirect rule doesnt appear to be working

[Dillon Kass]

It's hard to say exactly what is happening here without more information 
but here is the likely scenario.

What is most likely happening is simple but a little tricky to notice. 
Your rdr rule is likely working fine.

For the sake of this example lets just say that
your lan is 192.168.0.0/24
your router is 192.168.0.1
the machine you want to forward to is 192.168.0.2
and your computer is 192.168.0.100

So lets say you have your rdr rule as follows
rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> 
192.168.0.2 port 80

This rule is probably working just fine, this is most likely what is 
happening.

Your computer is 192.168.0.100 and you send a request to 209.131.36.158 
which is redirected to 192.168.0.2, 192.168.0.2 recives a request with 
the source ip of 192.168.0.100 and responds directly to you. This is the 
problem.

You send a packet to 209.131.36.158
You get a response from 192.168.0.2, the packet is then dropped because 
your computer has no idea why 192.168.0.2 is sending you what would 
appear to be random crap.

Install something like trafshow and open it up and attempt to connect 
again, look for two things. look at pfctl -vsr and see if your rule is 
being hit, and look at the output of trafshow and see if you're getting 
tcp traffic directly from the ip you're forwarding to. If you are than 
this is your problem.

You should be able to use some fancy nat magic in pf so that the 
forwarded packet has a different source address (not from the same 
subnet) which will cause your 192.168.0.2 to send it's packet back to 
the router instead of directly to your 192.168.0.100 lan machine. On the 
way back through the router you can use some more fancy nat magic to 
rewrite the replys source ip to be 209.131.36.158 instead of 192.168.0.2.