Now having implemented NetBSD as an internet gateway (whichs works royally well
besides the following problem), I've come across ipfilter and how it really isn't
that great. The natural step in this case is to try pf.

By some remarkable coincidence security/pflkm appeared in pkgsrc today, so I tried
it. Installed and loaded fine, but regardless of what rules I try (including
default), any NATted operation (i.e. anything happening on my client machines
through the pf gateway) is amazingly slow and likely to fail. DNS lookups can take 5
seconds, page loads for even Google can take longer if they work at all, and so on.
This does not happen from the gateway itself, nor did it happen with ipfilter.

So, thinking it was some friction between pflkm and my running kernel, I cvs'd to
-current and built that with the internal pf - having first removed pflkm. This
behaved in exactly the same way, which is even stranger.

As my previous problem, I know I must be the only one with this kind of thing
happening, and seek more assistance.

Here is my pf.conf, modulo comments:

ext_if="ex0"
int1="rtk0"
int2="ex1"

scrub in all

nat on $ext_if from !($ext_if) -> ($ext_if:0)

block in
pass out keep state

pass quick on { lo $int1 $int2 }
antispoof quick for { lo $int1 $int2 }

Essentially a modified version of the default. Can anyone spot anything wrong with
that? Usually a problem here would result in nothing working at all, but it does
work, just monstrously slowly and with high failure rate.

Besides that, does anyone know how to NATly redirect a range of ports and from an
unspecified address with ipnat? The following seems logical but doesn't work:

rdr ex0 0/32 port 6891><6900 -> 192.168.1.3 6891><6900

...nor do many modifications. If I add every port separately and force the 0/32
instead to be the interface address, then it works.

Thanks in advance.