1. When no route-to is added to the PF rule.

tcpdump on LAN, with port 80 or port 8000

15:41:45.247575 IP 172.16.1.10.51497 > X.X.X.X.80 (SYN to website)
15:41:45.247741 IP X.X.X.X.80 > 172.16.1.10.51497 (SYN+ACK from website)
15:41:45.247933 IP 172.16.1.10.51497 > X.X.X.X.80 (ACK from my machine)

A second connection is on port 9000 for Captive Portal
15:41:45.252389 IP 172.16.1.10.51498 > 172.16.1.1.9000 (SYN)
15:41:45.252524 IP 172.16.1.1.9000 > 172.16.1.10.51498 (SYN+ACK)
15:41:45.252700 IP 172.16.1.10.51498 > 172.16.1.1.9000 (ACK)

tcpdump on the loopback has the following:

15:41:45.356778 IP 127.0.0.1.18902 > 127.0.0.1.8999 (SYN)
15:41:45.356885 IP 127.0.0.1.8999 > 127.0.0.1.18902 (SYN+ACK)
15:41:45.356964 IP 127.0.0.1.18902 > 127.0.0.1.8999 (ACK)


2. When rout-to is added to PF rule.

15:46:07.667431 IP 172.16.1.10.51542 > X.X.X.X.80 (SYN to website)
15:46:07.923599 IP X.X.X.X.80 > 172.16.1.10.51542 (SYN+ACK from website)
15:46:07.923911 IP 172.16.1.10.51542 > X.X.X.X.80 (ACK)