pfSense

NAT64 rules pass traffic as expected until route-to (aka gateway / policy routing) is added to the rule. When using route-to, two states are created instead of one and the NAT64 state is created on the LAN (vmx1) instead of the WAN (vmx0):

[25.11-DEVELOPMENT][root@pfSense.home.arpa]/root: pfctl -vvss | grep -A5 "64:ff9b::8c52:7104" 
vmx1 ipv6-icmp 10.0.5.200:10003 (fc00:a:a:a:20c:29ff:fe3b:f34f[10003]) -> 140.82.113.4:8 (64:ff9b::8c52:7104[10003])       NO_TRAFFIC:NO_TRAFFIC
   age 00:00:02, expires in 00:00:09, 3:1 pkts, 148:36 bytes, anchor 1, rule 0
   id: 4c00cb6800000000 creatorid: ce55e72d route-to: 10.0.5.1@vmx0
vmx0 icmp 10.0.5.200:10003 -> 140.82.113.4:8       0:0
   age 00:00:01, expires in 00:00:09, 1:1 pkts, 36:36 bytes, anchor 2, rule 1
   id: 4d00cb6800000000 creatorid: ce55e72d route-to: 10.0.5.1@vmx0
[25.11-DEVELOPMENT][root@pfSense.home.arpa]/root: pfctl -vvsr | grep "@[01]\b" 
@0 scrub from any to <vpn_networks:*> fragment no reassemble
@1 scrub from <vpn_networks:*> to any fragment no reassemble
@0 pass in quick on vmx1 route-to (vmx0 10.0.5.1) inet6 proto ipv6-icmp from fc00:a:a:a::/64 to 64:ff9b::/96 keep state (if-bound) label "id=1763394790" label "gw=WAN_DHCP" label "tags=user_rule" ridentifier 1763394790 af-to inet from (vmx0) round-robin
@1 pass out quick all flags S/SA keep state (if-bound)