A
block log (all) logs all blocked packets to
pflog0. That is why I insist on having that rule in your pf.conf
A tcpdump on your wlan
rum0 interface will only show the packets that arrive on that interface. That does not mean that pf will let them pass.
The only proof that the packet will pass out on your external interface, is seeing it go out in the
tcpdump -eni $EXT xterm.
If the packet is blocked by pf , we will, because of that "block log (all)" rule, see it in the
tcpdump -eni pflog0 xterm.
If we don't see a packet meant to leave through the external interface, it either will have been blocked by pf, and be visible on
pflog0, or the router doesn't know how to route it.
That is how we cover all possible routes (pun intended
)
BTW If you give the IP addresses manually, you also have to give them them default route and tell them which name servers to use.