Solved RDR from VPN into a Jail

Hello :)

Well - first maybe the setup. I'm running several Jails, each is listening on it's own "lo" interface.

ifconfig_lo1="inet netmask"

Inside this Jail a specific service is running, e.g. MySQL. The plain communication inside the Jail works, also connecting from other Jails.
Now there's a VPN through a dedicated GIF interface - which works as well.

ifconfig_gif0="inet netmask tunnel"

Using pf with RDR's I can - as example - connect from the outside to the service running inside the Jail (em0 is the external interface)

rdr on em0 inet proto { tcp udp } from any to em0 port 3306 -> port 3306

The problem is how I can connect from the other side of the VPN ( to - in this example - MySQL running at /

Running a simple proxy service that listens on the internal sides of the VPN and redirects works without any problems, still this leaves the problem client IP's are messed up.

I've been trying something simple like:

rdr on gif0 inet proto [ tcp udp } from any to any port 3306 -> port 3306

Without any success, trying to to run "telnet 3306".

Anything I've overseen maybe or is this even possible at all ?
Why don't you simply fix the routing and use a different subnet for lo1? That way you don't have to muck about with NAT.
Yip - a quick test @ the local environment did work well. Now time to get it on the more production-like systems