PF TAGged jail traffic fails pass rule on egress

[Beeblebrox]

Hello,

I have a PF problem with TAG evaluation and am completely stumped. It should be very straight forward, but it's not working. Here's what I'm trying to do:
* I have several jails on cloned lo2
* Allow only specified port traffic to and from each jail
* Block all out-going traffic at egress interface (wan0) unless allowed (use tags here)

I've tested with a very simplified PF ruleset, with consistent failure:

 nat on wan0 from !(wan0) -> wan0
    ## Filters
 block drop log on wan0 all
 # tested with both combinations below
 block drop log on lo2 all \ # set skip on lo0
 set skip on lo0 \ # block drop log on lo2 all

   ## Jail for Unbound + dns-crypt
 pass in quick on lo2 proto udp from any to <jail-ip> port 53 tag TD
 pass out quick on lo2 proto udp from <jail-ip> to any (or wan0) port {53,443,2053} tag TD
    ## PASSING TAGGED PACKETS ##
 pass out quick on $ExtIf keep state tagged TD

PF blocks outgoing traffic nevertheless. Rule 0 is "block drop log on wan0 all"
15:47:35.270564 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.51977 > 212.47.228.136.443: UDP, length 768
15:47:35.671076 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.56347 > 178.216.201.222.2053: UDP, length 576

I tested a different jail with TCP packets, got same:
16:45:46.411698 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.58367 > 192.168.1.1.80: Flags [S], seq 1720787324, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]>

The only thing I can think of is that packets are not being tagged, so the "pass out" rule is not evaluated (pfctl -s state confirms no state for those packets). Is there an issue that packets traversing a cloned lo0 interface cannot be tagged?

Unfortunately tcpdump or such tools as I understand, cannot display the TAG header so I'm unable to proceed with debugging.
Any ideas?

-- 
FreeBSD_amd64_11-Stable_RadeonKMS
Please CC my email when responding, mail from list is not delivered.