On 3/16/26 9:56 PM, David Gwynne wrote:
> it's not clear, but i assume em0 is also part of the veb?
Correct.  em0 is on the veb.

> are you using this exact ruleset when you're having trouble with link1
> and connections to/from vport0?

I Don't change a single thing in pf between tests.  `ifconfig veb0 
-link1` > vport0 can send/receive traffic. `ifconfig veb0 link1` > 
systat rules shows packets matching my pass rules but vport0 is unable 
to send traffic.

> my best guess is that you've been
> running with link1 set but without "set skip on vport0", and the
> problem you're hitting is that pf runs twice for packets vport packets.
> once on the vport interface and again on the physical veb ports.

Nope.  vport is skipped for all tests- no change in ruleset.

> if you connect from vport to the internet, your packet will go out
> vport0, and then it will go out em0 again. because pf doesn't do
> interface tracking or anything by default, it'll think the packet is
> being replayed and block it.

Is their a command to check for replayed packets? tcpdump on log0

> set skip on vport0 should fix this though, which is why im confused.

Agreed. I've tried changing the state policy to if-bound globally but 
that didn't work either. I've been stuck on this for a few days now with 
no luck.  I bought the book of pf and I've been brushing up. Hopefully 
the answer is obvious and I've just been banging my head against the 
wall with the door right next to me.