Thanks BSDfan. I feel sheepish.
Birdmansdomain: I have just recreated your environment, with your pf.conf as posted above.
It works fine.
TCP traffic from the outside destined for port 80 gets properly routed to the server, and responses get properly routed back.
My test configuration:
Workstation --- Router ---- Server
All three were running 4.5-release. (-current has changes to PF affecting scrub and require-order).
Your pf.conf was used verbatim, except for changing the NICs.
---------------------------
Server:
/etc/hostname.ne3 contained "inet 192.168.0.10/24"
/etc/mygate contained "192.168.0.1"
# nc -l 80
Router:
/etc/hostname.ne3 contained "inet 10.0.0.1/24"
/etc/hostname.ne4 contained "inet 192.168.0.1/24"
/etc/sysctl.conf contained "net.inet.ip.forwarding=1"
an empty /etc/ssh-violate was created with touch(1)
your pf.conf was enabled, with the following changes: ext_if="ne3", int_if="ne4", wifi_if="ne5"
Workstation:
/etc/hostname.ne3 contained "inet 10.0.0.2/24"
# nc 10.0.0.1 80
Two-way TCP communication was established and confirmed between nc applets on the workstation and server, through the router.