Routing return NAT traffic based on interface

[Peter McAlpine]

Hello,

I am having trouble with routing via pf and would appreciate any help
that can be provided.

My router has a tunnel interface, and an external (internet)
interface. I'd like to NAT any traffic that arrives on the tunnel out
to the internet via the external interface. Any traffic that arrives
on the external interface that is not specifically for the external
interface's address should be sent down the tunnel.

Here's my config:
data_if = "tap3"
ext_if = "em0"
set skip on lo0
nat on $ext_if from !$ext_if:network to any -> ($ext_if)
pass in on $ext_if route-to $data_if from any to !$ext_if:network

My motivation is that I am completely unaware of the networks that
exist beyond the tunnel and want to be able to add additional
interfaces with RFC1918 addresses to my router without worrying about
whether my IP is colliding with the IPs past the tunnel. Further, I
want the traffic that arrives on the tunnel to remain in its original
state until it leaves on the external interface.

The issue I'm having is that the 'pass' rule is not being matched (or
even evaluated?). My default gateway on the router is the ext_if and
return traffic is being reverse-translated and then the routing table
is sending it back out ext_if instead of down data_if where I want it
to go.

I have also tried rebuilding my kernel and using different routing
tables but I can't get any pass rule to be evaluated for returning NAT
traffic.

Thanks in advance for any help you can provide.

-Peter