Glad to hear that you have solved the problem
> as you may notice I added the ping and the dns to the ruleset since > this was blocked in the original set of rules. You can allow outgoind dns with one single rule: pass out on $ext_if inet proto { tcp, udp } from $ext_if \ to any port domain keep state > ... > pass on hvn0 inet proto icmp all icmp-type echoreq just to be curious: what is the effect of "on" in your rules "pass on ..." As to pf.conf(5) there are only "in" or "out"