Thanks for (trying) to reproduce my setup and sorry for the late answer – I had to replace my notebook that broke last week.
I was aware that those three lines that I posted separately are bogus. Your note about not being able to connect from Wifi to Lan is in my case not a bug rather intended behaviour. However, I am wondering why it was possible for you to connect to the internet from the lan and wlan interfaces while for me it was denied. Before I replied to your post, I spent a little time on simplifying the rules:
Code:
....
pass out quick on $if_wan queue (que_def, que_ack)
# lan:network -> lan:ssh
pass in log quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh
# wlan:network -> wlan:dhcp
pass in quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67
pass in quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68
#**********************************************************
# block any -> lan
block in quick to $if_lan:network
# block wlan -> wlan
block in quick from $if_wlan:network to $if_wlan:network
# pass lan -> any
pass in quick on $if_lan from $if_lan:network
# pass dmz -> any
pass in quick on $if_wlan from $if_wlan:network
EOF
These rules seem to work (and I could live with them), but to clarify my initial motivation on this topic: Is there a way to rewrite the excerpted rules without the two 'block' statements and rather using a working line á la
Code:
pass in quick on $if_lan from $if_lan:network to ($if_wan)
As I stated in the beginning, I didn't manage to write such a rule that allows me to use internet from if_lan / if_wlan.
Thank you for patience and guidance.