I am only replying to this in the interest of closure since I am already part of this thread, but disclaimer here is some tough love.
You need to stop being lazy and actually understand your network topology, the security/privacy real or contrived-I see you adhere to the whole security by obscurity nonsense with the masking of the last 2 octets of that IPv4 address-and pf. Besides your first attempt at "magically" fixing your problem which was doomed to fail for the reasons I gave, you are now asking for people to guess what rules you need. Do you "really need to block 'martians'"? Seriously? Ignoring the philosophical trap of what you mean by "need", do you even know what a "martian" is; and if not, then why are you blindly blocking them? If you don't know what you are doing, then just don't do it. I don't even know what a "martian" is other than an alien thing from outer space. In the interest of providing a modicum of constructive criticism as opposed to just criticism, here you go: https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml. https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml Not sure if that is what "martians" refer to, but your "martians" appear to be a proper subset of what is listed there or at least close. With that information, seek out what those blocks mean and decide based on your topology and security/privacy needs if you should block them. Should I block 192.168.3.2 on my laptop? What about ingress traffic from 2343:24ad:afde:8224::23 destined to UDP port 764 on my VPS? Those are obviously rhetorical questions as only I know (or at least _should_ know) what my network topology is like, what services I run, to whom I want to serve, etc. You clearly blindly copied and pasted some rules you found without knowing what they do or why you are doing it as evidenced by the rather embarrassing blocking of your DHCP server. If you are going to be lazy and just want stuff to magically work, then disable pf. Bam. Don't need to worry about anything. If you plan to block stuff though, then actually learn about what you are blocking and why. Here is a tiny olive branch: I would allow all egress traffic from your VPS since that is within _my_ wheel of trust. If my VPS is trying to talk to an IP, then either it is already compromised or at least running software it shouldn't at which point I have bigger problems; or it needs to. Does that "magical" rule apply to you? I don't know, and it sounds like you don't either. Even if it does, you will still need to decide if you want to allow other IPs to send traffic; but that requires you to learn more about your topology, pf, and security/privacy needs.
