Greetings, Thanks so much to Zeloff and Stuart Henderson; I managed to solve the problem.
> Standard PF diagnosis tools are to add "log" to various rules, or add > "match log(matches)" to the top of the ruleset, and tcpdump -nei pflog0, > but N.B. due to a bug in (iirc) 7.3 to 7.5 the rule numbers printed by > tcpdump will be wrong if you have any anchors in the ruleset - that's > fixed in -current. After logging all icmp packets and running tcpdump on pflog0, I realized that packet filter was filtering R5's packets on the veb35 interface. The problem I made was setting the veb interfaces to link1. This caused packet filter to filter them really early in some way I didn't expect. Once I remove link1 from the veb interfaces, NAT works just fine now. So it was my configuration error, thanks again. -- jrmu IRCNow (https://ircnow.org)