I will hazard a guess that it is the use of
match that is the problem. From pf.conf(5):
Code:
match
The packet is matched. This mechanism is used to provide fine
grained filtering without altering the block/pass state of a
packet. match rules differ from block and pass rules in that
parameters are set every time a packet matches the rule, not only
on the last matching rule. For the following parameters, this
means that the parameter effectively becomes ``sticky'' until
explicitly overridden: nat-to, binat-to, rdr-to, queue, rtable, and
scrub.
It is on
pass where you can apply last-matching-rule-wins.