Fastroute Problem

[James A. Robbins]

We use our firewall to "catch" some traffic and route it
back to our network to facilitate routing between our
normal address space and some private address space.
The rules we use to do this are:
#
# Routing Between Private Address Space And Normal Address Space Rules
#
pass  in quick                 from 172.24.0.0/16    to 172.24.0.1 
group 100 # Private Address Space to its Gateway
block in quick on fxp0 to fxp0 from 172.24.0.0/16    to <normal range> group 
100 # Private Address Space to Normal Addresses
block in quick                 from 172.24.0.0/16    to 172.24.0.0/16 
group 100 # Ignore Broadcasts and Internal Traffic
block in quick on fxp0 to fxp0 from <normal range> to 172.24.0.0/16    group 
100 # Normal Addresses to Private Address Space

As can be seen we have set up an alias IP address on fxp0
(172.24.0.1) as the gateway for this address range.  Although
this all seems to work fairly well we have experienced some
slowness and downright lack of connectivity from our normal
addresses to the private address space.  On checking the
stats I find:

ipfstat
input packets:                  blocked 198511372 passed 2897837934 nomatch 
0 counted 0 short 7027
output packets:                blocked 0 passed 27928599 nomatch 0 counted 0 
short 0
input packets logged:     blocked 28201806 passed 25181
output packets logged:    blocked 0 passed 0
packets logged:              input 0 output 0
log failures:                      input 1537067 output 0
fragment state(in):            kept 0 lost 0
fragment state(out):          kept 0 lost 0
packet state(in):                kept 154720316 lost 1754304
packet state(out):              kept 0 lost 0
ICMP replies:        511333    TCP RSTs sent: 7375
Result cache hits(in):        223266450        (out):    26211225
IN Pullups succeeded:    0        failed:    0
OUT Pullups succeeded:    0    failed:    0
Fastroute successes:      67220029    failures:    10563 
<-------!!!!!
TCP cksum fails(in):        0        (out):        0
Packet log flags set:        (0)
       none

ipfstat -s | more
IP states added:
           114274318  TCP
           39142226  UDP
           1305422   ICMP
           4280144852  hits
           789136496  misses
           1040  maximum            <----------!!!!!!
           0  no memory
           buckets in use   40631
           43745  active
           40446879  expired
           114231342  closed
                   ...

My question is: what is causing the Fastroute failures?  Is this
a problem with the rule set or is this just normal?  We are running
ipf 3.3.18 under OpenBSD 2.8.   (I know.  One of these days we
will upgrade).  Any help would be appreciated.  Thanks.
--
James A. Robbins
Network Engineer
The Ohio State University
Chemistry Department