So currently, I have a large network that I'm serving out of one 
location across several WAN links. I have one machine with a real 
Internet address (NetBSD 1.6.1), that is providing NAT for 
192.168.0.0/16. The net 192.168.0.0/24 is located at the corporate 
office, and teh 192.168.x.0/24 are the branch offices across WAN links. 
This seems to work wonderfully, haven't had a problem.

Now, we're getting complicated. I'm going to set up the branches to use 
VPNs - each branch (well, most of them) get thier own broadband link, 
and traffic to any 192.168.0.0/16 address should get routed over the 
VPN. A few of these branches will have point-to-point T1 lines going to 
other branches - those not capable of broadband. These branches will 
have to provide NAT for themselves and for thier sister branches.

I've got the routing down, and I'm working on the firewall rules. I'm 
not sure about the NAT rules, though. Here's my question:

Say I've got a branch 192.168.3.0, with a sister branch 192.168.13.0. 
The 3.0 has a broadband connection. The 13.0 does not. There is a cisco 
router at 13.1 and 3.2, with an ip unnumbered connection between them 
over the T1. The 3.0 has a VPN IPSec tunnel to 0.0/24. How should my NAT 
rules look to provide NAT services for both the 13.0 and 3.0 network? 
Something like this, I'm assuming:

map ex0 192.168.3.0/24 -> 0/32 proxy port ftp ftp/tcp
map ex0 192.168.3.0/24 -> 0/32 portmap tcp/udp auto
map ex0 192.168.3.0/24 -> 0/32
map ex0 192.168.13.0/24 -> 0/32 proxy port ftp ftp/tcp
map ex0 192.168.13.0/24 -> 0/32 portmap tcp/udp auto
map ex0 192.168.13.0/24 -> 0/32

Now the other possibility - to confuse things further - we're getting 
five static IPs at each broadband connection, I could have each /24 go 
out on a different address - can NAT use an aliased address? Can I 
configure ex0 with two 'public' IPs, then change the NAT rules to point 
the 3.0 network to one, and the 13.0 network at the alias address?

Any help would be - um - helpfull.