The painless way to do this is with webservers on non-routable addresses, NAT and two interfaces. Is that out of the question?
In any case man pf.conf says: "Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the fire-wall itself." > The main difference is I want to do this with a single interface and I > want to use it as a load balancing solution. Using rdr to redirect > across a pool of web servers and using nat to translate the source > addresses so the addresses appear correct in the httpd logs rather > than having the source address of the interface that redirected the > traffic. All the IP addresses are on routable networks and the "load If your rules worked then I think they would they achieve the opposite of this. The rdr would match on inbound traffic and the nat would match outbound ensure the source address always appeared to be $loadbalancer to the webservers. I have some half-baked ideas on doing this with a single interface in obsd: 1) NAT load-balancing with a loopback adaptor 2) directed routing with pf. ... but neither are as a tidy as a simple NAT load-balancer. SteveW
