I think you're passing some packets statelessly, because you don't block correctly by default:
> nat on vr0 from !(vr0) to any -> (vr0) round-robin > scrub on vr0 all no-df fragment reassemble > scrub on vr0 all reassemble tcp > > block drop in log on vr0 all > pass out quick on ath0/rl0 keep state. First, change the block rule to apply to all interfaces and directions: block log all Now you'll see (by tcpdump'ing pflog0) what is getting blocked. Most likely, you also need pass in on ath0/rl0 keep state pass out on vr0 keep state Kind regards, Daniel
