Some more info: It appears that the port-redirected packages from the
OpenBSD box never reach the webserver in the first place, although the
OpenBSD box can generally reach the web server! Puzzles me.

Client IP: 10.4.10.234
OpenBSD receiving if (to client): 10.4.10.142
OpenBSD if for redirection to webserver: 10.4.12.237 (xl2)
Webserver if: 10.4.12.235

Connecting from the client to port 80 of the openbsd box gets
redirected to port 80 on webserver fine:

tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG
10:45:30.690277 10.4.12.234.4399 > 10.4.10.235.80: [|tcp] (DF)

and on the interface itself (different tcpdump run, thats why different
high port)

tcpdump: listening on xl2, link-type EN10MB
10:38:16.914070 10.4.12.234.4388 > 10.4.10.235.80: S
2959675908:2959675908(0) wi

but on the web server the command

tcpdump -i eth0 -l -n | grep 10.4.10.23 | grep -v ssh

which should show an incoming connection from 10.4.10.234 that isn't
ssh, I see nothing incoming at the same time - and that despite being
able to reach

10.4.12.235:80

from the OpenBSD box with lynx or telnet 80.

I am totally puzzled by this.

I am wondering now: I could simplify my setup even more and get rid of
the different subnet masks by using just one network card on the
OpenBSD box, maybe that solves the problem? But is it possible to use
just one network card for port redirect? Like saying in pf.conf
"everything coming in on xl0 on port 80, redirect this to another
machine in the same subnets port 80 via the same interface"?

In that case, I could have one card only as 10.4.xxx.xxx/16 that can
reach all machines at once.

Or do I need two network cards and/or two different target subnets for
port redirection to work?

Many thanks