On 2012-06-14, James Chase <ja...@wintercastle.net> wrote: > I'm just noticing that there is a binat on .217 (the ip that doesn't work) > and none on .146. Could this be the issue? Let's see. Yup. It was the binat > that was breaking it. Damn. Makes some sense I guess. Is there a way to do > this while using the binat?
"binat" as used in old versions of OpenBSD had the slightly unexpected (though *not* undocumented) behaviour that it took priority over all other types of translation rule, regardless of ruleset ordering. The whole NAT system was replaced in OpenBSD 4.7. The modern replacement using binat-to should work OK in this scenario providing that ftp-proxy's anchor is earlier in the ruleset than the binat-to rule. You can work-around with a combination of "nat...static-port" and "rdr" rules, but by this point in time I strongly recommend getting familiar with the new syntax on a test system (maybe with a copy of http://www.openbsd.org/books.html#book8 handy) with a view to moving the production system across.
