> I was to avoid going into each tap-out device then -g PVEFW-SET-ACCEPT- > MARK. > go directly to vmbr-OUT Sorry, I do not understand why that is required. Maybe this is only an optimization? If so, please can we optimize later (after doing benchmarks)?