Redirecting traffic to a bridged ip and port using PF on MacOS

Question

I am trying to redirect localhost traffic on specific port to bridged network ip

I am using following

echo "
rdr pass inet proto tcp from any to any port 9300 -> 192.168.64.29 port 9300
rdr pass inet proto tcp from any to any port 3406 -> 192.168.64.29 port 3406
rdr pass inet proto tcp from any to any port 1234 -> 127.0.0.1 port 8000
" | sudo pfctl -ef -

it works fine for 1234 -> 8000

I had simple Python server running on port 8000

python -m http.server 8000 --bind 127.0.0.1

Visiting http://localhost:1234/ loads server running on 8000 nicely

output of sudo pfctl -s states

ALL tcp 127.0.0.1:8000 <- 127.0.0.1:58791       FIN_WAIT_2:FIN_WAIT_2
ALL tcp 127.0.0.1:8000 <- 127.0.0.1:58792       FIN_WAIT_2:FIN_WAIT_2

But similar rule to redirect 127.0.0.1:9300 -> 192.168.64.29:9300 and 127.0.0.1:3406 -> 192.168.64.29:3406 is not working

I can see SYN_SENT in output of sudo pfctl -s states output

ALL tcp 127.0.0.1:8000 <- 127.0.0.1:58791       FIN_WAIT_2:FIN_WAIT_2
ALL tcp 127.0.0.1:8000 <- 127.0.0.1:58792       FIN_WAIT_2:FIN_WAIT_2
ALL tcp 192.168.64.29:9300 <- 127.0.0.1:9300 <- 127.0.0.1:58796       CLOSED:SYN_SENT
ALL tcp 192.168.64.29:9300 <- 127.0.0.1:9300 <- 127.0.0.1:58797       CLOSED:SYN_SENT

I have read in few thread that I need to enable forwarding but that doesn't seem to work

sudo sysctl -w net.inet.ip.forwarding=1

I have port 9300 and 3406 open on IP 192.168.64.29 which is on bridge100 inet 192.168.64.1 netmask 0xffffff00 broadcast 192.168.64.255

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3406            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:9300            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp6       0      0 :::2375                 :::*                    LISTEN      -
tcp6       0      0 :::3406                 :::*                    LISTEN      -
tcp6       0      0 :::9300                 :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -

SYN_SENT:CLOSED

• The side showing SYN_SENT has sent a TCP SYN packet but no response has been received from the far side. Often this is due to the packet not reaching its destination, or being blocked along the way.
• https://docs.netgate.com/pfsense/en/latest/monitoring/status/firewall-states-gui.html?highlight=syn_sent

not sure why/if it is being blocked but visiting 192.168.64.29:9300 works fine