OpenBSD, Dual Gateways, and redirects

I wanted to allow users to ssh to an sftp server, but using the secondary ISP connection. The SFTP server is in a DMZ (actually, in this case, it's a VLAN off an internal NIC.) This is with OpenBSD version 4.4.

#As usual, we need to set up the pf.conf file so that NATing happens on both interfaces:

nat on $ext_if from !($ext_if) to ! -> ($ext_if:0)
nat on $ext_if2 from !($ext_if2) to ! -> ($ext_if2:0)

# here's the actual redirect
rdr pass on $ext_if2 proto tcp from any to ($ext_if2:0) port 40000 \
-> $sftp port 22

# I haven't tried this with 4.6 or later... anyway, keep state appears
# to break things, as later packets go out the primary ISP connection
# ($ext_if, not $ext_if2)
pass out on $dmz3_if proto tcp from any to $sftp port 22 no state
pass in on $dmz3_if route-to ($ext_if2 $gateway2) proto tcp from \
$sftp port 22 to any no state



It works for me.