I do not clearly understand how the three rules you added for inter-LAN communication affected your egress traffic. They shouldn't. Perhaps I've misunderstood.
This may be review, but please keep in mind that whether or not you use standard or
quick rules, position within the ruleset matters. In your case, whenever your
quick rules are tested -- to establish a new stateful session, or for stateless traffic -- on the first match, rule inspection stops and the block or pass is applied. So perhaps the position of your three added rules affected function.
It will probably take me until the weekend before I have time to recreate your environment, and test your rules with three networks. Meanwhile, you might consider adding the
log option to
all of your pass and block rules, so that you can inspect the behavior of your ruleset with your traffic, using
tcpdump(8) and the
pflog(4) interface. For example:
# tcpdump -neti pflog0 action block
will show you which block rule is blocking current traffic, by rule number. Numbers to rules can be mapped with
# pfctl -vvsr
Perhaps someone else will provide additional input for you, prior to the weekend.
