The reason you're having trouble is you are confused about NAT. As you probably know already, NAT allows your entire private network to share a single IP address. So, your first failing rule:
Quote:
|
pass out log (all to pflog1) on $int_if proto tcp from <data> to <network>
|
fails because there are no packets from <data> to <network>. There never will be. Think about it. Your <data> users do not route packets to IP addresses on <network>. Not directly. They can't. 192.168/16 and the other RFC1918 addresses are not routable on the internet anyway, since they are designed for private networks only.
With NAT, state table tracking is used to keep sessions open when they are originated from within your local network, destined outward. You don't show any rules for that, but if you had them, that is how outbound-originating traffic is managed. Since pass all is the default (well, it is in the OpenBSD implementation of PF, it probably is in FreeBSD) then these are handled by that default rule. "keep state" has been the default for some time, and I assume that's the case with FreeBSD's PF implementation, as you have mentioned success with outbound traffic.
For inbound traffic that needs to reach a server on the internal network, and if a state does not already exist, your NAT router must know about the service and the server. This is commonly done via port forwarding (the "rdr" rules).