Yes, bridge between em2 and em3.

Assign the IP (used as gateway by the clients) to bridge0.

You'll have to duplicate the MAC filter rules per interface.

The pf rules need to match both interfaces with 'on { em2 em3 }',
and floating state-policy (default) will simply work. No increase in
complexity there.

If you dislike the syntax there, you can use an interface group, but
it's purely cosmetical.


