I have some packet capture logs (libpcap) available for
those who are interested:

http://www.rinta-aho.org/pr-pf/test-network-setup (nw diagram)
http://www.rinta-aho.org/pr-pf/int_if.dump (dump of vr0)
http://www.rinta-aho.org/pr-pf/ext_if.dump (dump of vr1)
http://www.rinta-aho.org/pr-pf/pc1.dump (dump of PC1 on vr1 link)

I first ran "ping -c5 pc1", then "telnet pc1" (those
two seem OK), then "ssh pc1" (which is not OK).

It seems that ssh packets going from PC2 to PC1 bypass NAT,
and any filter rules, but the source MAC address changes,
so the Rhines are at not least short-circuited physically... :-)

Teemu

Teemu Rinta-aho wrote:
> Hi all,
> 
> I have a VIA EPIA PD6000E Mini-ITX board with two ethernets
> (VIA Rhine III & VIA Rhine II). The system is running ipfilter
> happily, but with pf I have found a problem that the system
> is sending *both* the NATed and the original packets out on
> the external interface. I have a filtering rule that should
> block packets with private addresses on the external interface.
> So, the conclusion is that packets are going *both* through
> the kernel *and* hopping directly from the internal ethernet
> interface to another... I have been running tcpdump on both
> interfaces and the result was that I see all the same packets
> on both interfaces, *when* pf is enabled.
> 
> I already posted a NetBSD pr on this. dmesg, configurations etc. can
> be found at:
> 
> http://www.rinta-aho.org/pr-pf/
> 
> I also posted a question to the VIA Arena Forums:
> 
> http://forums.viaarena.com/messageview.cfm?catid=32&threadid=62838&enterthread=y 
> 
> 
> Any help is most appreciated. I can do more debugging
> if and when needed.
> 
> Teemu
> 
> P.S. Please cc: my e-mail when replying
> 
>