подскажите, пожалуйста, где грабли.
есть 2 канала в инет. один анлим (медленный), другой быстрый, но анлим тока ua-ix
вот конфиг pf:

# interfaces
int_if = "xl0"
ext_if = "nve0"
ext_if2 = "tun0"
lan_net="192.168.3.0/24"
ext_gw = "7x.8x.19x.145"
ext_gw2 = "6x.8x.17x.80"
tcp_services = "{ ssh, smtp, 21, 53, 80, 443, 1723,137,138,110 }"
udp_services = "{ ftp, 53, 123,137,138 }"
nat_users = "{192.168.3.0/24 }"
icmp_types = "echoreq"
table <ua-ix> persist file "/etc/prefixes.txt"

priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12 }"
        
# options
set block-policy return

# scrub
scrub in all
# nat/rdr
nat on $ext_if from $nat_users to !<ua-ix> -> ($ext_if)
nat on $ext_if2 from $nat_users to <ua-ix> -> ($ext_if2)

# filter rules
block all

pass quick on lo0 all
pass out all keep state
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
block drop in  quick on $ext_if2 from $priv_nets to any
block drop out quick on $ext_if2 from any to $priv_nets

# Load balance outgoing tcp and udp traffic from internal network1.
pass in on $int_if route-to \
    { ($ext_if $ext_gw) } round-robin \
    proto tcp from  $lan_net to !<ua-ix> flags S/SA modulate state

pass in on $int_if route-to \
    { ($ext_if2 $ext_gw2) } round-robin \
    proto tcp from  $lan_net to <ua-ix> flags S/SA modulate state

pass in on $int_if route-to \
    { ($ext_if $ext_gw) } round-robin \
    proto { udp, icmp } from $lan_net to !<ua-ix> keep state

pass in on $int_if route-to \
    { ($ext_if2 $ext_gw2) } round-robin \
    proto { udp, icmp } from $lan_net to <ua-ix> keep state
    

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state
pass in on $ext_if2 inet proto tcp from any to ($ext_if2) \
   port $tcp_services flags S/SA keep state

# Allow access to provided UDP services on both external i/fs
pass in on $ext_if inet proto udp from any to ($ext_if) \
   port $udp_services keep state
pass in on $ext_if2 inet proto udp from any to ($ext_if2) \
   port $udp_services keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp, esp, ah, ipip, gre } all keep state

pass out on $ext_if2 proto tcp all modulate state flags S/SA
pass out on $ext_if2 proto { udp, icmp, esp, ah, ipip } all keep state

pass out on $ext_if route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if $ext_gw) from $ext_if to any

pass in on $ext_if proto { esp, ah, ipip, gre } from any keep state
pass in on $ext_if2 proto { esp, ah, ipip } from any keep state

при этом интерфейс nve0 (куда должны ходить пакеты не ua-ix молчит). И все пакеты отправляются на дефолт (tun0, PPPoE)
как сделать так, чтобы пакеты уходили по правильному маршруту и ответ был с того интерфейса, на который приходит запрос.
помогите, плиз. Уже 3 дня лбом об стенку...