weird PF behavior

[Jayel Villamin]

Here's a rough sketch of the home network

FBSD 5.3 box ===>>> xl0 ===>>> ADSL modem
                    ===>>> xl1 ===>>> 10/100 Mbps switch ===>>>
several Windows PC are connected to the switch
                    ===>>> xl2 ===>>> Windows PC (via x-over cable).
This is the FTP server.

I have an FTP server running in a windows box with IP = 192.168.2.2

here's a snippet of my rules
==========
ext_if = "tun0"
elayne_ftp_service = "19985:19989"
elayne = "192.168.2.2/32"

rdr on $ext_if proto tcp from any to ($ext_if) port
$elayne_ftp_service -> $elayne
block log all #This is the very first rule after the nat/rdr rules
pass in quick on $ext_if inet proto tcp from any to $elayne port {
$elayne_ftp_service } flags S/SA keep state
============

Looking at the PF FAQ in openbsd.org, this seem to be correct.

But when I try to connect from work to the FTP, I get the following
tcpdump entries:
=====================
15:44:38.009604 IP SOURCE_IP_HIDDEN_FOR_PRIVACY.43318 >
TARGET_IP_HIDDEN_FOR_PRIVACY.19989: S 1052116979:1052116979(0) win
49640 <mss 1402,nop,nop,sackOK>
15:44:41.423697 IP SOURCE_IP_HIDDEN_FOR_PRIVACY.43318 >
TARGET_IP_HIDDEN_FOR_PRIVACY.19989: S 1052116979:1052116979(0) win
49640 <mss 1402,nop,nop,sackOK>
===================

If I change the last rule in the snippet to:
===========
pass in quick inet proto tcp from any to $elayne port {
$elayne_ftp_service } flags S/SA keep state
===========
it works.

Well I thought that having "on $ext_if" is correctly as well as the
traffic from work to home FTP server must pass thru $ext_if.

Any ideas for this behavior?

Thanks