Index: branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf
===================================================================
--- branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf	(revision 10680)
+++ branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf	(revision 10694)
@@ -54,10 +54,17 @@
 nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if) 
 
-# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
-rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port http
 
 # Redirect user to captive portal they have not clicked OK yet (6)
 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
+
+# Redirect some internal facing services outside (7)
+rdr on $ext_if inet proto tcp from any to $ext_if port 8081 tag SRV -> 172.16.4.46 port http
+
+# Make the device on WL find the proper gateway back (7)
+nat on ! $ext_if inet from any to $wl_net tagged SRV -> $masterip
+
+# Special allow rules for inbound piercing (7)
+pass in quick on $ext_if inet tagged SRV keep state
 
 # Localhost is considered safe (5)
@@ -84,7 +91,4 @@
 pass in on $ext_if from $private to $wl_net keep state
 
-# Allow exposing some (internal) WL Services to the inet - see rdr on top as well (7)
-pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
-
 # Packets going out are the ones to the internet with an certain limit (1)
 pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \