Hi, > You need to use reply-to when a packet comes in on the second interface: > pass in on $UntrustInterface2 reply-to ($UntrustInterface2 $NextHop2) > keep state > > That should get you working, then apply filtering as desired. Thanks, it started to work as soon as I've added that line into pf.conf! Best regards. Nejc