Your rule set is too large for me to debug without actually running it. But you can debug it step by step yourself:
All your rules use 'quick', and you say the packets get blocked by the last two 'block' rules. That means the packets don't match a 'pass' rule that you expect them to match. You'll have to go through all connections that don't work and follow the same procedure, I'll just show it for the example you gave. When you ping 192.168.3.250 64 from the firewall, what interface do these pings get routed through? It's not clear from your pf.conf, but it might be dc1. What source IP address is the firewall using for the pings to 192.168.3.250? You can run tcpdump on the interface they pass out through to find out, if it's not clear from ifconfig output. So, now you know what interface the pings should go out through and what source and destination address they have. Now go through all your 'pass on dc1' rules, manually. You assume one of them should match these pings, but none of them does. That's why the final 'block' rules are the first and last matching rules. Maybe you forgot to allow a source or destination address on that interface, or a protocol, etc. I'd start with pinging hosts in all networks from the firewall, until that works. Then ping host across networks, in all combinations. Daniel
