pf.conf

r1% cat /etc/pf.conf 
lo_if="lo0"
int_if="vlan11"
ext_if="tun0"
localnet=$int_if:network:0

# Options
set fingerprints "/etc/pf.os"
set block-policy return
set debug urgent
set ruleset-optimization basic
set skip on $lo_if
set loginterface none

scrub in all

nat on $int_if from $localnet to mail.lan port 993 -> 192.168.0.254
nat on $int_if from $localnet to mail.lan port 143 -> 192.168.0.254
nat on $int_if from $localnet to haproxy1.lan port { 80, 443 } -> 192.168.0.254
nat on $ext_if from $localnet to any -> ($ext_if)

rdr pass on $ext_if proto tcp from !$localnet to any port 993 -> mail.lan port 993
rdr pass on $ext_if proto tcp from !$localnet to any port 143 -> mail.lan port 143
rdr pass on $int_if proto tcp from $localnet to 192.168.0.254 port 993 -> mail.lan port 993
rdr pass on $int_if proto tcp from $localnet to 192.168.0.254 port 143 -> mail.lan port 143
rdr pass on $int_if proto tcp from $localnet to 192.168.0.254 port 80 -> haproxy1.lan port 80
rdr pass on $int_if proto tcp from $localnet to 192.168.0.254 port 443 -> haproxy1.lan port 443
rdr pass on $int_if proto tcp from $localnet to ($ext_if) port 80 -> haproxy1.lan port 80
rdr pass on $ext_if proto tcp from !$localnet to ($ext_if) port 80 -> haproxy1.lan port 80
rdr pass on $ext_if proto tcp from !$localnet to ($ext_if) port 443 -> haproxy1.lan port 443
#rdr pass on $ext_if proto tcp from any to any port 443 -> haproxy1.lan port 443

anchor "blacklistd/*" in on $ext_if

block log all

antispoof log quick for $int_if
antispoof log quick for $ext_if

pass in proto icmp
pass quick on vlan12 proto pfsync keep state (no-sync)
pass quick on vlan11 proto carp keep state (no-sync)

pass in on $int_if from any to any
pass in on $ext_if inet proto tcp from any to any port { https, imaps, ssh }

pass out all