>> I'm likely to do the ipfw approach suggested by Wojceich, >> as soon as I rebuild with "options IPFIREWALL_FORWARD", > > > This could be done with pf route-to too. yes. but ipfw is most universal having all needed things at one place. firewalling, routing, shaping, etc.