You cannot do this without multiple IP addresses. Think about it - You have one IP address, so any incoming packets will come to that address. How will your firewall know what machine in the DMZ to send this packet to? And how would a remote machine indicate that it wanted the packet sent to a particular machine?
Well the answer is, of course, using ports. Each system offers a service on one or more ports, and the firewall uses rdr rules to redirect matching packets to that machine. rdr rules can also redirect to different ports - for instance, say you have 5 machines that you need to ssh to. consider these rdr rules:
Code:
rdr on $ext_if from any to ($ext_if) port 1022 -> 102.168.1.101 port 22
rdr on $ext_if from any to ($ext_if) port 2022 -> 102.168.1.102 port 22
rdr on $ext_if from any to ($ext_if) port 3022 -> 102.168.1.103 port 22
rdr on $ext_if from any to ($ext_if) port 4022 -> 102.168.1.104 port 22
rdr on $ext_if from any to ($ext_if) port 5022 -> 102.168.1.105 port 22
Edit: I thought that it might be usefull to translate that rule from pf to English. It goes like this
"Redirect packets arriving on interface $ext_if with the to address set to the current address of $ext_if and the port set to 1022, by changing their address to "192.168.1.101" and changing the port number to "22".
So a remote user can access ssh on machine ..105 with
ssh -p 5022 [your one external ip address] . (Just noted: the port numbers can be specified in the config file!)