View Single Post
  #2   (View Single Post)  
Old 6th February 2022
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,782

Welcome back! It's been a long time.

I think that your antispoof rule is the problem, because it isn't designed for use with a bridge, it's designed for a single NIC per subnet. If you use # pfctl -sr you will see that the expansion of `antispoof for $lan` -- $lan = vether0 -- expands to something like this:
block drop in on ! vether0 inet from to any
block drop in inet from to any
The pf.conf(5) man page states:
     The antispoof directive expands to a set of filter rules which will block
     all traffic with a source IP from the network(s) directly connected to
     the specified interface(s) from entering the system through any other
Reply With Quote