pf on a bhyve host

From: tech-lists <>
Date: Sun, 31 Oct 2021 12:48:48 UTC
Hello pf@

(the context is a 12.2-p10 host and various bhyve guests)

What's the best way to have pf protect the host (on igb0) but 
leave the traffic for the tap devices unexamined? It seems, for example

set skip on $tap_ifs

where $tap_ifs is a macro containing four tap devices, doesn't do what's 
needed. In this context, igb0 is bridged with the tap devices. Traffic 
still gets hit by pf block rules on the host despite being for the vm
behind the tap device(s).

Is a different approach needed? Do I need to use vlans? The bhyhe guests
need to have real routable IPs and both the host and the guests are on
the same subnet. The desired outcome was previously achieved with a
hardware firewall in front of the bhyve host. I'm not sure if this is
possible with freebsd's pf. Maybe it is with openbsd's? I understand
that we have pci passthru with bhyve+openbsd guests now.