diff --git a/sys/netpfil/pf/pf.c b/netpfil/pf/pf.c
--- a/sys/netpfil/pf/pf.c
+++ b/netpfil/pf/pf.c
@@ -5332,7 +5332,7 @@
 
 	/* check maximums */
 	if (r->max_states &&
-	    (counter_u64_fetch(r->states_cur) >= r->max_states)) {
+	    (counter_u64_fetch(r->states_cur) > r->max_states)) {
 		counter_u64_add(V_pf_status.lcounters[LCNT_STATES], 1);
 		REASON_SET(&reason, PFRES_MAXSTATES);
 		goto csfailed;
diff --git a/tests/sys/netpfil/pf/max_states.sh b/sys/netpfil/pf/max_states.sh
--- a/tests/sys/netpfil/pf/max_states.sh
+++ b/sys/netpfil/pf/max_states.sh
@@ -43,10 +43,10 @@
 		"pass in  on ${epair_tester}b keep state (max 3)" \
 		"pass out on ${epair_server}a keep state"
 
-	# The exact limit is off by 1
 	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4201
 	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4202
-	ping_dummy_check_request exit:1 --ping-type=tcpsyn --send-sport=4203
+	ping_dummy_check_request exit:0 --ping-type=tcpsyn --send-sport=4203
+	ping_dummy_check_request exit:1 --ping-type=tcpsyn --send-sport=4204
 }
 
 max_states_cleanup()