[ snip ]
So if I'm on 1.2.3.231 (it's really 10.10.2.231), and attempt to connect to 1.2.3.232, it doesn't work. The packets get all the way out to fxp0 on the OpenBSD box but than they don't come back. They just drop on the floor. I need these to come back. As the live case will be 1 set of machines behind a load balancer attempting to connect to another set of machines behind a load balancer, and their all in this binat configuration. So this needs to work for me to drop this in place.
This is essentially the "redirection and reflection" (http://www.openbsd.org/faq/pf/rdr.html#reflect) problem that people run into. The cleanest solution is to have the internal machines use only their internal addresses to communicate, however, if you can stand traffic between internal machines looping through the firewall, there is some trickery you can do with redirection and nat to do what you want (http://www.openbsd.org/faq/pf/rdr.html#rdrnat).
.joel
