I was running an OpenBSD PF firewall here at my office for several months, replacing a Cisco PIX with something I felt more comfortable with. The only issues I had with it, were that 1) AOL Instant Messenger stopped working, even after I opened the proper ports, and 2) Optimum Online’s Web Mail ceased to work (it would immediately log a user out upon login. These issues were very minor, and so I left it alone. Eventually the cause of these 2 issues lead to a similar problem, this time with software made by ACT called Work Keys. The Work Keys help desk insisted that the problem was being caused by caching (i.e. a proxy server). I insisted that I had no proxy server. I had no caching enabled anywhere… so what was the problem? Well thanks to this email I figured it out! It has to do with NAT address pools.