"double" firewall network

[Sadin Nurkic]

Hello,

I have the following situation and was wondering what was the best
way to attack it:

1 machine (1st fw) connected via DSL (i.e. high-speed), 2 interfaces 
eth0=internal subnet, eth1=DSL
2 extra machines on the same subnet (web and mail server)
3rd machine is a "second" firewall with 3 interfaces,
eth0=subnet with the other fw,
eth1=subnet with office machines
ppp0=slow connection
then there is a bunch of office machines connected on this "office subnet", 
some of these machines
need to go through the "high-speed" connection, while others need to go 
thru the ppp0 interface
of the 2nd fw.
Only the DSL interface on the 1st fw, and the ppp0 interface on the 2nd fw 
have real IP addresses,
all other interfaces are internal addresses.

I know that this is really complex, but it is definetely NOT my idea to 
organise it like this,
lets just say that the boss has no idea about anything...

If I setup masquarading on the middle fw, because its default route is to 
go thru the 2nd
fw, and not the machine on the other end of the ppp link, everything ends 
up going through
there without even considering the -o ppp0 that i put in the iptables 
command for a specific
source IP address.
I've tried about a million different combinations of routes, iptables using 
SNAT or MASQ
but no success, so I was wondering if anyone would have an idea on how to 
do this from scratch
i.e. which addresses to use first, whether or not to use different 
addresses for "high-speed allowed"
so they're on a diff subnet, or just do a default MASQ to go to 
highspeed,then one-by-one set rules
for low speed to go thru ppp0?


Any help with this would be greatly appreciated.

Regards,
Sadin