Though this is but a pair of excerpts from your configuration -- thank you.
One thing to note, if you use match rules to apply options like nat-to, the match rules need to appear
before any applicable block or pass rules. And then, with any subsequent matching rule, the prior match settings will also apply, so that a nat-to option need only be used once. From your excerpt, it appears the match rules were thrown in without that understanding.
Additionally, you are using standard NAT translation on your inward network, and that is causing the issue with external addresses being translated. Specifically, this line, the last in the configuration, is the root cause of the problem:
Code:
pass in log on $ext_if from $screen_pub_ip:0 nat-to $localscreen
Other than that, I note that you are combining bidirectional NAT and standard NAT for the same platforms. There is no need. And, the rules are out of order, as your binat-to rules appear before your general nat-to.
Remember: the last matching rule applies.
I've never used bidirectional NAT myself, but I have done some light reading on the subject. When bidirectional NAT is combined with standard NAT, it is possible to misconfigure. Michael Lucas, in his second edition of Absolute OpenBSD, recommends these sort of rules shown below for combining your main NAT with bidirectional NAT. I've adapted his recommended rules to the macros and redacted addresses you used in your configuration excerpt.
Note that Michael uses pass, rather than match, because he does not have multiple followon rules that require the nat-to option. (That's the value of match. Use it once to set an option that you would otherwise have to apply to multiple rules.)
But with a match for nat-to and then a subsequent pass, or with a pass that includes nat-to, the order of rules is critical. The last matching rule applies.
Code:
main_ext_ip = "a.b.c.d.66"
screen_pub_ip = "a.b.c.d.101"
localscreen = "192.168.0.221"
int_if = "em1"
pass out log on egress from $int_if:network to any nat-to $main_ext_ip
pass on $int_if from $localscreen to any binat-to $screen_pub_ip
The first rule applies the general translation, the subsequent rule applies the specific translation. Michael writes that these rules produce unambigous address translations. Only the one specific server uses the dedicated external address, and all other hosts use the main address.