Dual connection fast route problems

Hi,

I am using IP Filter: v4.1.13 on FreeBSD 6.2 and have an issue I can't
seem to resolve with the help of google or the ipf documentation I have
found. Perhaps someone can assist. I am no expert with IP Filter but I
have an okay grasp of it and have been using it for quite some time
successfully for basic firewalling functions.

If there is a better list to ask such questions on please point me to it.

I also might be going about this entirely the wrong way, but I don't
know of any better way.

Basically what I am trying to achieve is dual Internet connection to a
single internal NAT'ed email server for receiving mail in a redundant
fashion. However I can't get the return packets to go back out the
interface which is the non-default route on the gateway. The packets
come in fine and on the way back out the gateway I catch them with IP
Filters "to interface:ip" syntax and try to push them back out that way.
This technique is called fast route I think. The rule catches the
packets going back out, and changes the IP correctly to the one
specified in the rule however it does not re-route the packet into the
specified outgoing interface.

Here is my setup

* Hosts/Connections

Gateway:
FreeBSD 6.2 - IP Filter: v4.1.13
3 network interfaces of interest

- primary internet connection: ste4
static IP: 1.2.3.4

- secondary internet connection: tun0 (pppoe)
static IP: 5.6.7.8
Simple ppp setup via /etc/ppp/ppp.conf

- Internal LAN : ste3 (ethernet) 192.168.1.1

Then we have on the LAN:

Internal Linux host running SMTP with IPs 192.168.1.15 and 192.168.1.16


* Inbound NAT config
The primary Internet connections NAT is done by a router beyond ste4, it
does translation of 1.2.3.4:25 -> 192.168.1.15:25

The secondary Internet connection uses ipnat configured on the gateway
to redirect traffic
rdr tun0 5.6.7.8/32 port 25 -> 192.168.1.16 port 25 tcp

The default route on the gateway points out ste4 to the primary Internet
connection.

Inbound SMTP connections to 1.2.3.4:25 work fine as it uses the default
outbound route on the gateway.

For the secondary connection I have a rule in the ipf.rules like this to
catch the returning server -> client packets as they exit the default
outbound route interface of the gateway (ste4).

pass out log quick on ste4 to tun0:5.6.7.8 proto tcp from 192.168.1.16
port = 25 to any

I know this rule is catching the packets and logging them, but its not
changing the outbound interface to tun0. The IP does change to 5.6.7.8
as I can see them with tcpdump sailing out the ste4 interface.

I have successfully used the fast route syntax in other places in my
ruleset to affect the route of outgoing connections so I figure I have
the syntax right.

Appologies if this is bastardry of ipfilter, but it seems in theory that
it should work.

Any help is appreciated.

Regards,
Ross