Hey old thread I know. But it's mine and I wanted to make sure there was a solution posted. I didn't have the need for this right after posting, but did again recently and I followed the advice here to tag the packets. Now that the new 4.7 pf.conf syntax is more well known, I wanted to know if this is still the best method for achieving what I want, which is basically blocking traffic between subnets. In my case, a guest network blocked from seeing the office network.
Code:
pass quick on $pubwi_if all tag PUBLIC
block quick on $int_if tagged PUBLIC
Is this sane?