The external NIC of your server has IP address 10.0.0.2, which is in your
$nonroute macro, and thus get blocked. To check if this true add the following "log" modifiers.
Code:
block log all
....
block drop in log quick on $if_ext from $nonroute to any
block drop out log quick on $if_ext from any to $nonroute
As root run
Code:
tcpdump -eni pflog0
and you will see all blocked packets of your ruleset.