PF Problem?

[Mr. BBQ]

Ich hab hier mein kleines Netzwerk und irgendwas stimmt nicht ich schau mir jetzt die pf.conf schon einige zeit an und find den fehler nicht. mein netzwerk sieht so aus:

internet----modem--------(vr1)router(vr0)--------mein pc
                               (xl0)        |
                                 |          |----notebook
                                 |
                                 |
                            nameserver2


vr1  = 10.0.0.140
vr0  = 192.168.1.250/24
xl0  = xxx.yyy.zzz.74/29
ppp0 = xxx.yyy.zzz.73/29

nameserver2 = xxx.yyy.zzz.75/29

meine pf.conf sieht nun so aus:

# our defines
ext_if="ppp0"
int_if="vr0"
if_to_ext_if="vr1"
domain_if="xl0"
internal_net="192.168.1.0/24"
domain_net="xxx.yyy.zzz.72/29"

table <unroutable> { 127.0.0.1/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, !$internal_net, !$domain_net, 255.255.255.255/32 }

# make stats for the ADSL-connection
set loginterface $ext_if

# close inactive connections faster - less memory is needed
set optimization aggressive

# clean fragmented packets
scrub on $ext_if all fragment reassemble random-id

# force packets to conform to specifications.  You can miss off the
# no-df if you don't intend to use IPSec.
scrub in  all no-df
scrub out all no-df

# enable forwarding
nat on $ext_if from $internal_net to any -> $ext_if
nat on $ext_if from $domain_net to any -> $ext_if

# ... in the filtering section of pf.conf ...

# predefined workstations and servers
clemens                 = "192.168.1.100"
dns2                    = "xxx.yyy.zzz.75"

# ports that should be able to reach from outside
ssh_ports               = "{ 2222 }"
im_ports                = "{ 1863 5190 5222 }"
bittorrent_ports        = "{ 6969, 6881:6999 }"
service_ports           = "{ 21 80 }"
dns_port                = "{ 53 }"

# bittorrent stuff
rdr on $ext_if proto tcp from !$internal_net to any port 6969 -> $clemens port 6969
rdr on $ext_if proto tcp from !$internal_net to any port 6881:6999 -> $clemens port 6881:6999

# we don't want IPv6
block quick inet6

# don't allow IP spoofing
block in log quick on $ext_if inet from <unroutable> to any
block in log quick on $ext_if inet from any to <unroutable>

# allow to ping this server
pass in quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

# filter rules for $ext_if inbound
block in on $ext_if all
pass  in on $ext_if inet proto tcp from any to $clemens port $bittorrent_ports flags S/SAFR keep state
pass  in on $ext_if inet proto tcp from any to any port $service_ports flags S/SA keep state
pass  in on $ext_if inet proto tcp from any to any port $ssh_ports flags S/SA keep state
pass  in on $ext_if inet proto { udp tcp } from any to any port $dns_port flags S/SA keep state
pass  in on $ext_if from $domain_net

# filter rules for $ext_if outbound
block out on $ext_if all
pass  out on $ext_if inet proto tcp from $ext_if to any flags S/SA keep state
pass  out on $ext_if inet proto { udp icmp } from $ext_if to any keep state
pass  out on $ext_if inet proto { tcp udp } from $ext_if to any port domain keep state
pass  out on $ext_if inet proto tcp from $ext_if to any port $ssh_ports flags S/SA keep state
pass  out on $ext_if inet proto tcp from $ext_if to any port $im_ports flags S/SA keep state
pass  out on $ext_if from $clemens to any

# filter rules for $int_if inbound
block in on $int_if all
pass  in on $int_if from $internal_net

# filter rules for $int_if outbound
block out on $int_if all
pass  out on $int_if from any to $internal_net

# filter rules for $domain_if inbound
block in on $domain_if all
pass  in on $domain_if from $domain_net

# filter rules for $domain_if outbound
block out on $domain_if all
pass  out on $domain_if from any to $domain_net

das problem ist nun: ich kann von meinem router den nameserver2 pingen. den router kann ich aber nicht von meinem nameserver2 pingen. was hats da? ins internet und so komm ich vom nameserver2 ohne probleme. auf dem router läuft openbsd 3.6 und am nameserver2 läuft 3.7. bitte kann mir jemand helfen.