In my previous blog post Setting up jails with multiple IPs and providing it with internet access I suggested the following PF configuration:

ext_if="em0"
jail_if="bridge0"

# Set some options
set optimization aggressive
set block-policy drop
set skip on lo

# NAT on the external interface when coming from the jail interface
nat on $ext_if from $jail_if:network:0 to any -> ($ext_if)

# We just pass everything
pass quick all

To do nat from the jail interface (either bridge0 or lo1 is what I am using now). The syntax used, ($ext_if) says that PF should look at the interface to find out what the IP address is that it should translate to. This works wonderfully when the address is assigned by DHCP and there is only a single address. The thing is that on a new server I've got we've got two lagg interfaces (one internal, one external) and the external lagg interface has two IP addresses assigned to it. PF in FreeBSD 8.2 apparently does the wrong thing and causes all kinds of issues with FTP connections when an interface has two IP addresses, so instead of using ($ext_if) just put in the main IP address.

ext_if="lagg1"
int_if="lagg0"
jail_if="lo1"

set optimization aggressive
set block-policy drop
set skip on lo

nat on $int_if from $jail_if:network:0 to 10.0.0.0/8 -> ($int_if)
nat on $ext_if from $jail_if:network:0 to any -> 192.168.99.3

pass quick all