3.0 current, pf and browsing

[John Gould <johng@powinv.co.uk>]

Hello everyone,
               I am using 3.0 current as a firewall machine, the internal
interface has some static routes set as follows that redirect packets over
a vpn to the corporate network.

Internet:
Destination      Gateway            Flags 
default          193.129.220.30     UG     
10.1.0.0         10.36.1.254        UG     
10.10.0.0        10.36.1.254        UG     
10.12.0.0        10.36.1.254        UG     
10.19.0.0        10.36.1.254        UG     
10.27.0.0        10.36.1.254        UG     

If a local user wishes to reach a machine on the 10.1, 10.10, 10.12, 10.19
or 10.27 networks packets are routed to the 10.36.1.254 machine which is a
Nortel II400 connected to a Nortel Contivity box at corporate
headquarters. These packets go in and out the same NIC! Everything works
fine except I can't browse directories on Windows machines in any of these
networks. The local browsing 10.36 network works fine. I have replaced
the pf rule set on the firewall machine with pass out all, pass in all and
still the problem persists.
Packets destined for these networks are not actually going through this
firewall machine, they go to the internal network interface and are sent
back out to 10.36.1.254. I can ping machines in these networks and
traceroute to them but I can't browse directories on these machines. If I
turn off the packet filter with 'pfctl -d' then browsing works and I can
see the contents of these directories, but of course machines using the
route through the firewall and NAT don't get through. Has anyone seen this
before? What is happening to the packets that are being re-directed? This
machine is to replace a 2.9 box with ipf which worked fine in exactly this
configuration. Any help would be most appreciated.

Regards John.

John Gould - Systems Engineer
Power Innovations Limited
Tel: +44 1234 223002 email: johng@powinv.co.uk