Q: NAT from KB/ht5215 broken in ML 10.8.2?

We've been using NAT with Lion Server and ML Server as described in the KB article but this config has broken on of our servers with the 10.8.2 / Server 2.1 (and 2.1.1) update. Basically, the pfctl lauch daemon won't load (exited with code: 1). Has anyone else seen this in their setups? Better yet, has anyone found a solution to this problem?

Here's a bit of diagnostics with pfctl:

bash-3.2# pfctl -vvv -s info
No ALTQ support in kernel
ALTQ related functions disabled
Status: Disabled                              Debug: Urgent


Hostid:   0xc1eda31d
Checksum: 0x00000000000000000000000000000000


State Table                          Total             Rate
  current entries                        0               
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Source Tracking Table
  current entries                        0               
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                                  0            0.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  dummynet                               0            0.0/s
Limit Counters
  max states per rule                    0            0.0/s
  max-src-states                         0            0.0/s
  max-src-nodes                          0            0.0/s
  max-src-conn                           0            0.0/s
  max-src-conn-rate                      0            0.0/s
  overload table insertion               0            0.0/s
  overload flush states                  0            0.0/s

bash-3.2# pfctl -v -n -f /etc/pf.conf
scrub-anchor "/*" all fragment reassemble
nat-anchor "/*" all
rdr-anchor "/*" all
anchor "/*" all
dummynet-anchor "/*" all


Loading anchor com.apple from /etc/pf.anchors/com.apple
scrub-anchor "/*" all fragment reassemble
nat-anchor "/*" all
rdr-anchor "/*" all
anchor "/*" all
anchor "/*" all
anchor "/*" all
anchor "/*" all


Loading anchor com.apple/100.NATRules from /etc/pf.anchors/NATRules
nat on en0 inet from 192.168.42.0/23 to any -> (en0) round-robin
pass on lo0 inet6 from fe80::1 to any flags S/SA keep state
pass inet6 from ::1 to any flags S/SA keep state
pass inet from 127.0.0.1 to any flags S/SA keep state
pass inet from 192.168.42.0/23 to any flags S/SA keep state


Loading anchor com.apple/400.AdaptiveFirewall/ from /Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall
table <blockedHosts> persist file "/var/db/af/blockedHosts"
block drop in quick from <blockedHosts> to any

launchctl doesn't throw an error when you unload then reload /System/Library/LaunchDaemons/com.apple.pfctl.plist but it does write an error to syslog:

Sep 27 13:50:37 localhost com.apple.launchd[1] (com.apple.pfctl[47]): Exited with code: 1

Any ideas? This was working with 10.8.1 but broke with 10.8.2 and Server.app 2.1.x

Thanks,

Miles