I assume you didn't assign any addresses to sis0 and ne3, but have an address on ep1 and a default route through ep1 (or the address/netmask for ep1 includes <wan router> and <server1>).
correct :-)
When pf generates a packet (like for return-rst/-icmp, which you are using through 'set block-policy return'), it passes it to the TCP/IP stack for delivery. The stack consults the routing table to decide what interface to send the packet out through (based on the destination IP address).
Aah, the main problem was the "block return" policy?
Either disable return-rst/-icmp, or add routing table entries for hosts you want to send block replies to. If you have separate networks (unique netblocks) on the sis0 and ne3 sides, the simplest solution is to assign an address in the respective netblock to sis0 and ne3, just for this purpose.
The main problem is that i have only an /29 subnet, and i need all the ip's. Is it ok to work with the drop-policy?
Thank you very much for your explanations Uwe
