IPFW2 script with natd and dummynet (loadsharing)

[René Vestergaard]

I am trying to have both natd (divert) and loadsharing (pipe/queue)
in the same IPFW2 firewall script.

It works partly. That is, something is wrong because,
  pipe-bandwidth does not at all match the measured
and
  by using the log-facility I found that
  the following package enter the script at rule 11:
  "TCP 207.46.211.119:80 192.168.12.150:1574 out via em0"
  but it looks like i had just been translated by rule number 400

In /etc/sysctl.conf i wrote:
------------------------------
net.inet.ip.forwarding=1
net.inet.ip.redirect=1
net.inet.ip.fw.enable=1
# Disable one_pass to allow both NATD and LOADSHARING (default is 1)
net.inet.ip.fw.one_pass=0
------------------------------

The NIC with IP 192.168.10.248 is connected to WAN and
the NIC with IP 192.168.12.10 is connected to LAN

Here is my script:
------------------------------
# Firewall script (Kernel compilation: default-rule was set to allow)

ipfw -f -q flush
ipfw -q add 60000 allow all from any to any

# Log-facility (for debuging)
ipfw add 11 skipto 12 log all from any to any

ipfw pipe 1 config bw   80KByte/s  # upload limit
ipfw pipe 2 config bw  800KByte/s  # download limit

# Package going in the download-direction are translated by NATD
# to get the destination .12-subnet IP address
# (change destination ip address)
ipfw add 100 divert natd ip from any to 192.168.10.248 // Download

ipfw add 200 queue 1 ip from 192.168.12.0/24 to not 192.168.12.0/24 //
Upload
ipfw queue 1 config weight 10 pipe 1 mask src-ip 0x000000ff

ipfw add 300 queue 2 ip from any to 192.168.12.0/24 // Download
ipfw queue 2 config weight 10 pipe 2 mask dst-ip 0x000000ff

# Package going in the upload-direction are translated by NATD
# to get the source IP address of the WAN NIC (and the port number is also
changed)
ipfw add 400 divert natd ip from 192.168.12.0/24 to any // Upload
------------------------------

What is wrong?