pass proto tcp from $client1 to $mail_servers port $mail_services \ label "$srcaddr" pass proto tcp from $client1 to any port $web_services label "$srcaddr"
Accumulate periodically using pfctl -vslz (the z reset counters), feed to database
Explore the idea: Use labels in authpf rules, collect stats to put $user_ip in tables according to traffic counter, move between altqs. Doable?