Shorewall users - Feb 2004 - Problem with aliased interface forwarding

Hi,
i´m using shorewall for 2 years and its great. Know i have the following
problem:
I have an VPN-Router and an Firewall with Linux/ Shorewall, behind the shorewall
are two AS400 and two terminal server for different groups. Know some users
want to be able to access both AS400 and terminal server over VPN, so i thought
i use virtual ip addresses and forward them to the different server.
 
My WAN network is 10.254.254.0/24 and my LAN network is 192.168.10.0/24.
I have configured eth0:0 with 10.254.254.253 and eth0:1 with 10.254.254.252
Hope these graphic helps to illustrate it a little bit:

				Shorewall 1.4.10c
				| 10.254.254.254 - DNAT port 23 to 192.168.10.240 |	-> 	1. AS400 
| VPN-Router 10.254.254.1| ----->	| 10.254.254.253 - DNAT port 23 to
192.168.10.003 | 	-> 	2. AS400
				| 10.254.254.254 - DNAT port 3389 to 192.168.10.5 | 	-> 	1. Terminal
Server
				| 10.254.254.252 - DNAT port 3389 to 192.168.10.250 | 	-> 	2. Terminal
Server

So i inserted these in the rules file:
DNAT      net   loc:192.168.10.240      tcp     23      -       10.254.254.254
DNAT      net   loc:192.168.10.250      tcp     3389    -       10.254.254.254
DNAT     net   loc:192.168.10.3        tcp     23      -       10.254.254.253
DNAT      net   loc:192.168.10.5       tcp     3389    -       10.254.254.252

but it doesn´t work. If i connect to 10.254.254.253 (Virtual WAN, with telnet
forwarded to 192.168.10.003),
i get the login from the linux firewall and not from the AS400. I´m also able to
ping the virtual wan interfaces,
but not the real wan interface..

I don´t know what is wrong, so i hope someone can help me.

Thanks in advance.

	Stefan Drees

P.S. Here are some informations about my system / shorewall configuration:

shorewall version
1.4.10c

ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
100
    link/ether 00:e0:7d:c8:7f:b8 brd ff:ff:ff:ff:ff:ff
    inet 10.254.254.254/24 brd 10.254.254.255 scope global eth0
    inet 10.254.254.252/24 brd 10.254.254.255 scope global secondary eth0:0
    inet 10.254.254.253/24 brd 10.254.254.255 scope global secondary eth0:1
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:e0:4c:89:1d:1d brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.254/24 brd 192.168.10.255 scope global eth1

ip route show
10.254.254.0/24 dev eth0  proto kernel  scope link  src 10.254.254.254
192.168.10.0/24 dev eth1  proto kernel  scope link  src 192.168.10.254
default via 10.254.254.1 dev eth0