> > May be a dumb question, but do you have net.inet.ip.forwarding=1 set? >
Neither can I believe had forgotten it, but I think you nailed it. Will test monday and let know. Thanks in advance. -fm > > tcpdump of a successful test connection: > c.c.c.c = remote test client on internet > r.r.r.r = firewall external IP > > pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194 > tcpdump: listening on vmx1, link-type EN10MB > 14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0) > win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK> [tos 0x20] > 14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S > 3178148684:3178148684(0) win 64240 <mss 1460,nop,wscale > 8,nop,nop,sackOK> [tos 0x20] > 14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S > 3355699325:3355699325(0) ack 3178148685 win 16384 <mss > 1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20] > 14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0) > ack 3178148685 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6> [tos 0x20] > 14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20] > 14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win > 1026 [tos 0x20] > 14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos > 0x20] > 14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win > 1026 [tos 0x20] > 14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436 > win 273 (DF) [tos 0x20] > 14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack > 436 win 273 (DF) [tos 0x20] > 14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win > 273 [tos 0x20] > 14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436 > win 273 [tos 0x20] > > >