PF TAGged jail traffic fails pass rule on egress

[Beeblebrox]

Ian - thanks for the answer.

I already have pflog enabled on wan0 (egress), but nothing of value there.

After your ide re " no actual packets on lo2" I ran tcpdump on that interface; indeed no traffic shows up.
I moved the jails to a new vlan1 with /24 subnet, with x.x.0.1 empty and jails starting from x.x.0.2/32. This obviously facilitates NAT from pf in that NAT is now not needed for inter-jail communication.
However, nothing changes for the greater problem of packet tagging as "tcpdump -i vlan1" shows no packet traversal as was the case on lo2. I also realised that since pf.conf has:

nat on wan0 from !(wan0) to any -> wan0

Attempts to tag packets post-nat is useless because source-ip (jail) has been replaced by the ip of wan0. This seems to leave me with limited choices
1. NAT & TAG each jail separately (ie: nat pass on wan0 from $jdns to any tag TD -> wan0)
2. Use a single tag for all packets leaving vlan1 so as to simplify the nat rules

Neither which offers a satisfactory configuration because of other complications each solution causes. As reminder: Ultimate goal is to allow only pre-defined port traffic per jail. I can't find a simpler way than TAGGING to accomplish this.

PS I've also found that the OpenBSD syntax "!(tagged  )" is not recognised on FreeBSD...

Thanks & Regards

-- 
FreeBSD_amd64_11-Stable_RadeonKMS
Please CC my email when responding, mail from list is not delivered.