Freebsd: o firewall pf não funciona na reinicialização

Estou executando o FreeBSD 10.3 p4 e observei um comportamento estranho

Ao reiniciar a máquina, o pf inicia devido a /etc/rc.conf entry

# JAILS
cloned_interfaces="${cloned_interfaces} lo1"
gateway_enable="YES"
ipv6_gateway_enable="YES"

# OPENVPN -> jails
cloned_interfaces="${cloned_interfaces} tun0"

# FIREWALL
pf_enable="YES"
pf_rules="/etc/pf.conf"
fail2ban_enable="YES"

# ... other services ...

# load ezjail
ezjail_enable="YES"

mas ignora todas as regras relativas às cadeias. Então eu tenho que recarregar as regras manualmente para começar por

sudo pfctl -f /etc/pf.conf

Meu pf.conf lê:

#external interface
ext_if = "bge0"
myserver_v4 = "xxx.xxx.xxx.xxx"

# internal interfaces
set skip on lo0
set skip on lo1

# nat all jails
jails_net = "127.0.1.1/24"
nat on $ext_if inet from $jails_net to any -> $ext_if

# nat and redirect openvpn
vpn_if = "tun0"
vpn_jail = "127.0.1.2"
vpn_ports = "{8080}"
vpn_proto = "{tcp}"
vpn_network = "10.8.0.0/24"
vpn_network_v6 = "fe80:dead:beef::1/64"
nat on $ext_if inet from $vpn_network to any -> $ext_if
rdr pass on $ext_if proto $vpn_proto from any to $myserver_v4 port $vpn_ports -> $vpn_jail

# nsupdate jail
nsupdate_jail="127.0.1.3"
nsupdate_ports="{http, https}"
rdr pass on $ext_if proto {tcp} from any to $myserver_v4 port $nsupdate_ports -> $nsupdate_jail

# ... other yails ...

# block all incoming traffic
#block in

# pass out 
pass out

# block fail2ban
table <fail2ban> persist
block quick proto tcp from <fail2ban> to any port ssh

# ssh
pass in on $ext_if proto tcp from any to any port ssh keep state

Eu tive que desativar o bloqueio de todo o tráfego de entrada, pois o ssh via ipv6 parou de funcionar.

Alguma sugestão de como corrigir o problema?