The pass keyword on a redirection rule does go through stateful processing (keep state), but translation occurs before filtering is applied. The filter rules apply to translated packets.
l saw at least one problem with SchippStrich's latest "pass out" rule:
- The "from" address is the xl0 NIC, but the from address will be on the Internet, not the originating IP address of xl0. This rule will never match.
I recommend following the guidance in the PF User's Guide -- in the Traffic Redirection chapter, there is a section called Redirection and Packet Filtering, showing the packets before and after translation.
Debugging is certainly warranted, using tcpdump(8), pflog(4), pflogd(8). Without this, SchippStrich will continue guessing.