Ah, you're using stateful filtering rules and natd. Good luck with that.
The rules needed to make that work are quite complicated. I've never bothered trying, just trying to decipher the examples given in mailing lists makes my head spin.
Try it without the stateful rules.
You're also using link-local auto-configuration IPs (169.254.x.x). Try using a proper private subnet like 192.168.x.x, or 10.x.x.x.
Other than that, the network config looks correct.