The configuration files below is, as I described, very minimal. Your general goals were used to create the rules. For clarity, I have added two macros, and for an improved experience I set a block policy to return TCP RST (for TCP traffic) or ICMP UNREACHABLE (for everything else).
1. I avoided
quick. It wasn't needed.
2. I used tags for clarity when reading the rules, but also, for ease of defining outbound policy.
3. I left your queues alone, except I converted them to
match rules so that queing could be separated from pass policy.
Code:
# interfaces
if_lan="vr0"
if_wlan="vr2"
if_wan="pppoe0"
# other macros for convenience
# these two added by jggimi:
lan="em0:network"
wlan="em1:network"
if_wan_bandwith="1400Kb"
que_low_ports = "{ http, https, 8080, smtp, smtps, 6881:6889 }"
que_int_ports_tcp = "{ ssh, 5060, 5061, 5190, 5222, 5223, irc, 3478, 3479, 3480, 5223 }"
que_int_ports_udp = "{ 5060, 5061, 3478, 3479 }"
# loopback ignored
set skip on lo
# scrubbing
match in all scrub (no-df random-id)
match out on $if_wan all scrub (random-id)
match on $if_wan scrub (max-mss 1440)
# qos
altq on $if_wan priq bandwidth $if_wan_bandwith queue { que_low, que_def, que_int, que_dns, que_ack }
queue que_low priq(default) qlimit 80
queue que_def priority 2
queue que_int priority 4 priq(red)
queue que_dns priority 5 qlimit 25
queue que_ack priority 6
# nat (use "static-port" for crappy Playstation Network)
# simplified by jggimi:
match out on $if_wan from !($if_wan) nat-to ($if_wan) static-port
# filtering
# this is where jggimi substituted a new set of rules to meet these goals:
#
# 1. pass traffic from $lan devices to $wlan, egress, and ssh daemon here.
# 2. pass traffic from $wlan devices to egress and dhcp daemon here.
#
# jggimi's rules use the following guidelines:
#
# Blocked traffic will be polite and return ICMP UNREACHABLE or TCP RST.
# Queues will be assigned by match rules. Queue assignments were unchanged.
# Policy based rules set by tag, primarily for readability and clarity.
# default block policy
set block-policy return
block log
# queue assignments
match out on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack)
match out on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack)
match out on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack)
match out on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack)
match out on $if_wan queue (que_def, que_ack)
########
# 1. pass traffic from $lan devices to $wlan, egress, and ssh daemon here.
########
pass log from $lan tag external
pass log from $lan to $wlan tag internal
pass log proto tcp from $lan to self port 22 tag local
########
# 2. pass traffic from $wlan devices to egress and dhcp daemon here.
########
pass log from $wlan tag external
pass log proto {tcp udp} from $wlan to self port bootps tag local
pass log proto {tcp udp} from self to $wlan port bootpc tag local
# pass the tagged traffic
pass out log on {$if_lan $if_wlan} tagged internal
pass out log on $if_wan tagged external
I tested local traffic (dhcp with WLAN, ssh with LAN) internal traffic (LAN client to WLAN server), and established external connections from LAN and WLAN with the "internet server".
Please read the rules and modify them to meet your actual needs, if you elect to use them. I may have misunderstood your goal of LAN client connecting to WLAN services -- it might be you intended the opposite.